Mandiant researchers discoveredthreat actors using a shared
Phishing-as-a-Service (PhaaS)
platform called Caffeine. The experts
noticed that the toolkit has an
intuitive interface and supports
multiple features that allow
customers to easily arrange
phishing campaigns.
The service includes self-service
mechanisms to craft customized
phishing kits, manage intermediary
redirect pages and final-stage lure
pages, dynamically generate URLs
for hosted malicious payloads, and
track campaign email activity.
Unlike most PhaaS platforms,
Caffeine features an entirely open
registration process, this means that
anyone with an email could register
for their services.
The toolkit provides templates for a
broad range of targets, including
Chinese and Russian organizations,
which is quite uncommon in the
cybercrime ecosystem.
Caffeine is advertised on multiple
cybercrime underground forums, its
subscription models are more
expensive compared with other
PhaaS platforms. A monthly base
subscription costs approximately
$250, while the cost of other PhaaS
ranges between $50 and $80. A
subscription for three months
(Professional) costs $250, while a
six-month license (Enterprise) goes
for $850.
One of the phishing campaigns
analyzed by Mandiant, which relied
on the Caffeine toolkit, aimed at
stealing Microsoft 365 credentials.
Landing pages were hosted on
legitimate WordPress sites that were
previously compromised.
Landing pages observed by the
researchers have currently limited
to Microsoft 365 credential
harvesting lures, but experts believe
that the author of the toolkits will
support additional phishing pages in
the future as per customer
demands.