Introduction

A new readily available Phishing-as-a-Service (PhaaS) campaign has been recently identified. Featuring an open registration process, it allows anyone to jump in and start their own phishing campaigns. Dubbed ‘’Caffeine’’, the platform has an intuitive interface and comes at a relatively low cost. It provides wannabe hackers with a number of features and tools to conduct and automate the focus of their phishing campaigns.

PhaaS platforms usually utilise narrow, somewhat hidden channels to communicate with potential hackers such as underground forums or encrypted messaging services, many even look for an endorsement or referral before accepting a new user. Caffeine, on the other hand, has an entirely open registration process meaning anyone with an email can access the platform.

How the tool works?

The features Caffeine provides include self-service mechanisms to create customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URLs for hosted malicious payloads, and track campaign email activity. The tools platform also provides phishing email templates for use against Chinese and Russian targets, which is uncommon for such phishing services.

Right now, the templates only target Microsoft Office 365 login pages, via the theft of login credentials. This is done via malicious login windows hosted by WordPress.

Through a Microsoft 365 hack, a malicious actor can access all kinds of data, from private communications, to images and videos, to sensitive documents. From here, a cybercriminal could either use the information directly for their own benefit or sell it on an illicit marketplace to other threat actors.

While the templates currently only target Microsoft Office 365 login pages, the platform’s operators are likely to add more templates to expand the scope of the kit soon.

Caffeine is fully subscription based and does not support perpetual use licenses. The base subscription costs $250 a month (compared to the average PhaaS platform costing from $50-$80), depending on the features. Anti-detection, anti-analysis systems, and customer support services are included.

How to mitigate against ‘Caffeine’ and other PhaaS tools

– Multi-factor authentication

Multi-factor authentication is where the user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. Implementing MFA provides an additional layer of security to help reduce the likelihood of a successful spearing attack. Make sure you turn on MFA on all your online accounts – personal and professional ones!

– Educational campaigns

At the organisational level, enterprises can raise awareness and actively train employees and highlight spear phishing attacks as a high-risk threat. Training materials can feature real-life examples of spear phishing, with questions designed to test employee knowledge. Employees who are aware of spear phishing are less likely to fall victim to an attack.

– Implement Phishing Defence Capabilities

Even with the best security procedures in place, phishing emails will end up in your users email boxes. Organisations need a fast and easy way of reporting and investigating these suspicious emails.NoPhish by Smarttech247 identifies and investigates even the most complex phishing attempts to remove the threat from your organisation in real-time. Your users can report a suspicious email with just one click, keeping the whole organisation safe. NoPhish is a simple Office 365 app integration that can be deployed in minutes. NoPhish also hunts for the same reported email in other users’ inbox to ensure that the whole organisation is safe.

Prevention measures for detecting can aid in mitigating against PhaaS platforms such as Caffeine. However, it is a constant battle of cat and mouse against an ever-evolving opponent. As quickly as one aspect of an operation can be combatted against a new infrastructure or feature develops.

Summary

Phishing remains a very common attack method for threat actors. The emergence of the Caffeine platform further highlights that the tools required for even a low-level attacker are cheap to acquire, simple to use, and readily available. Successful phishing protection requires a layered approach to maximise detection. Defences start with email and DNS filtering techniques to block known threats, supported by next-generation anti-malware software. Next, detecting novel threats and countering advanced persistent threats requires more comprehensive detection techniques supported by threat intelligence. Finally, employee security awareness training and exercises are essential. They will reduce the likelihood of users falling for a phishing message that reaches their inbox.