Cybersecurity

‘Caffeine’ phishing service offers end-user perks for future customers

Even phishers want to offer good customer service.
article cover

Francis Scialabba

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

If these phishers had a mug, it might say: “Don’t talk to me ’til I’ve sent my malware.”

A phishing-as-a-service (PhaaS) platform called Caffeine, detailed in a recent report from Mandiant, is unique in its ease-of-use features: Perks like an open-registration model, customer-service support, and a reasonable cost.

“There are different levels of support that you can expect from different phishing-as-a-service platform providers. And it seems that these guys had one on the higher end,” said Adrian McCabe, senior security analyst, managed defense, at Mandiant.

Caffeine perks. Caffeine’s phishing kits send out a phony Microsoft 365 login page—one designed to gather credentials.

The campaign was discovered in March 2022, after a suspicious email reached a European architectural firm. Mandiant’s report revealed a level of customer care one might not expect from a seller of such shady wares:

  • Everyone’s welcome. Anyone with the URL and email can register for a Caffeine account—no referrals or underground forums needed. “Unlike most PhaaS platforms Mandiant encounters, Caffeine is somewhat unique in that it features an entirely open registration process,” read the report.
  • Support. A misconfiguration error message, found by Mandiant, connected attackers to a troubleshooting link—“an admirable dedication to user experience on the part of the Caffeine engineers,” said the Mandiant researchers.
  • Price. The service costs $250 per month. By contrast, a September 2021 Microsoft report showed that the PhaaS service BulletProofLink offered one-off links for $50 and monthly subscriptions for up to $800.
  • Customization. Users can create dynamic URL schemas to generate pages with potential victim information pre-populated.

Mandiant’s M-Trends 2022 report showed that about 9% of observed intrusions were caused by credential theft. A Ponemon Institute study in 2021 found that phishing attacks cost large organizations almost $15 million annually, or $1,500 per employee.

To get that kind of money, PhaaS makers often emphasize that capital S: the service.

“There are services out there that are available to take potential phishing emails, and they’ll review them, fix the grammar mistakes, the spelling mistakes, and guarantee increased click rates. I mean, these things are being run like marketing programs for traditional, real organizations,” said Erich Kron, a security awareness advocate at training provider KnowBe4.

Recommendations. Because Caffeine hides its code, McCabe recommends looking for anomalous, obfuscated JavaScript or PHP files alongside a legitimate branding icon—a sign that phishers are trying to create a cloned login page with recognizable, familiar logos.

On the network side, look for lots of activity in a condensed timeframe to two or more of the domains associated with Caffeine’s architecture (shown in the report).

The phishing messages that reach employee inboxes are often the most convincing ones and not the kind that get filtered by email security gateways.

“We have to help people understand how to spot and preferably, within organizations, report these kinds of phishing attacks,” Kron told IT Brew.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.