author photo
By Cam Sivesind
Mon | Oct 17, 2022 | 10:27 AM PDT

A low-cost Phishing-as-a-Service (PhaaS) platform that has an open registration process could allow just about anyone with email to become a cybercriminal.

Known as "Caffeine," the platform provides an intuitive interface and "a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns," according to a blog post by Mandiant.

While phishing campaigns are nothing new, this "as-a-service" approach is a bit concerning, as it makes it easier for people with nefarious intentions to access and use the type of attack. Accessibility equals vulnerability. Caffeine makes it easier for attackers to craft tailored phishing campaigns (or kits), control redirect pages and general payload-hosting URLs dynamically, and track campaign effectiveness.

Due to its open-access nature, Caffeine potentially could grow quickly in the number of users and subsequent attacks. Notably, the PhaaS toolkit comes with readymade templates for phishing emails targeting companies and agencies in Russia and China.

Caffeine also shows the sophistication that continues to occur in the cybercriminal realm, with underground leadership turning software selling into a profit-making enterprise. Bad actors can now purchase phishing software off the shelf rather than having to develop it themselves.

Users sign up for a core Caffeine account, pay for licensing, and then receive campaign infrastructure and configuration. Users can register for an account without significant disclosure of information and with no required external validation mechanism. Once licensed, users can pick and choose detailed configuration settings for use in their credentialed phishing campaigns—including dynamic URL schemas, campaign redirect pages, and final lure pages.

Besides relying on word of mouth to grow, Caffeine is advertised on underground forums dedicated to cybercrime, particularly on the Dark Web.

The main target for Caffeine users is Microsoft 365 login credentials, with phony sign-in pages installed on legitimate WordPress-based websites. Caffeine uses compromised admin accounts, websites that are configured improperly, and/or other errors in web-based platforms to install the kits. As the PhaaS platform grows, experts expect targets to grow beyond Microsoft 365 platforms.