Caffeine – A new phishing toolkit keeps us awake

M.Sc. Chris Wojzechowski

Caffeine – A new phishing toolkit keeps us awake

Caffeine is a phishing-as-a-service (Phaas) toolkit. Just recently, we presented EvilProxy, a phishing toolkit. Unlike EvilProxy, Caffeine has a special feature: the registration process is significantly simplified and is accessible from the normal Internet. Anyone who knows the address of the site can register.

The purpose of Caffeine

As a PhaaS, Caffeine does much of the work for potential attackers. Similar to EvilProxy, current templates for phishing emails and the pages behind them are stored. Thus, extensive templates exist for the Microsoft 365 environment. Mandiant points out this fact in his detailed study of Caffeine.

Interestingly, templates were not only created for large Western companies, but also for Chinese and Russian companies. These templates enable users to quickly and easily plan phishing campaigns and attack companies.

The difference between Caffeine and EvilProxy

On the whole, Caffeine is not much different from EvilProxy. Both toolkits offer PhaaS and a subscription option. A three-month subscription costs $450, while a six-month Enterprise subscription costs $850. These prices are quite high, but the toolkit explicitly advertises customer support and various anti-detection and anti-analysis features. Unlike EvilProxy, registration is not handled via Telegram. There is also no need to visit darknet forums.

Payment is made via a cryptocurrency. Compared to EvilProxy, the barrier to use is thus reduced once again. URLs can be dynamically generated with variables, making detection even more difficult. With a large number of settings, the toolkit offers attackers the possibility to strongly customize their attacks. IP addresses or entire countries can be excluded from the phishing campaigns.

Phishing-as-a-Service becomes even easier to use with Caffeine

The fact that another toolkit for illegal phishing activities has appeared on the market shows how lucrative the phishing business is. Due to the multitude of possibilities, it is becoming increasingly difficult for users to detect phishing. The attacks continue to evolve.

AI-supported phishing will also become a problem in the future. Caffeine does not use any surprisingly new methods here. Phishing-as-a-service is also not a new phenomenon. What is worrying, however, is the development that more and more potential attackers are being tempted by the low barriers to entry to carry out illegal attacks and harm companies.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.