A phishing-as-a-service (PhaaS) platform called Caffeine is unlike others in that it offers an open registration process, requiring neither invitations nor referrals, allowing anyone who registers to access all the tools one could need to launch a phishing attack. “Phishing is one of the most popular attack vectors, and its use has only increased,” commented Avast Security Evangelist Luis Corrons. “Sadly, cybercrime has become a mature industry with different players specialized in different tasks, from stealing credentials to laundering money. PhaaS allows untrained cybercriminals to access powerful information-stealing tools.”

The phishing tools offered by Caffeine include self-service mechanisms that can be used to craft customized phishing kits, manage intermediary redirect pages and final-stage lure pages, dynamically generate URLs for hosted malicious payloads, and track campaign email activity. Caffeine’s templates mostly target Russian and Chinese platforms, but researchers worry that if more templates are added, the site could become exceedingly dangerous. See BleepingComputer for more. 

BeReal has massive installs but few daily users

According to market intelligence company Sensor Tower, social media app BeReal has topped 53 million installs, but only 9% of its active Android installs are opening the app every day. Typically, many users install apps out of curiosity, then abandon them due to lack of interest. An app’s popularity is more precisely measured by the amount of daily users. Instagram leads this category with 39% of its active installs opening the app every day. TikTok comes in second at 29%, followed by Facebook at 27%, Snapchat at 26%, YouTube at 20%, and Twitter at 18%. For more on this, see TechCrunch. 

Google Chat upgrades coming soon

In an effort to compete with Microsoft Teams, Slack, and even Zoom Team Chat, Google announced that enhancements to Google Chat will soon be coming to Workspace. New features will include message threading later this month and custom emoji creation later this year. Next year, Workspace will introduce “broadcast-only” spaces to optimize presentations, as well as roll out APIs that will allow other apps to create and start meetings in Meet and initiate messages in Chat. Google also announced extra security features that help prevent sensitive information leaks. See The Verge to learn more. 

Toyota data breach exposes source code, email addresses

Toyota disclosed a security incident where a subcontractor uploaded Toyota source code to a GitHub repository that was inadvertently set to public access. The source code contained an access key to a server where customer information such as email addresses were stored. The company stated that up to 300,000 customer email addresses may have been compromised, though it is yet undetermined whether or not any third party has used the access key. No other customer information, such as names, phone numbers, or credit card details were stored on the server. Toyota has started sending out apology letters to affected customers. For more, see SecurityWeek.

BazarCall tricks victims into calling a number

Active since at least 2020, BazarCall campaigns involve social engineering schemes where victims are tricked into calling a phone line for help and being led through steps that install malware on their own systems. The phishing scam begins with bait in the form of an email that tells the potential victim that they have been charged for the purchase or renewal of an online service. A phone number is provided for any queries. When users call the number, they get a bad actor, actually acting, who tries to use any number of social engineering techniques to direct them to a website, have them download a (malicious) file, and execute it. The attackers then have remote access to the victim’s system. See the report by Trellix for more details. 

This week’s must-read on the Avast blog 

Smishing, or phishing carried out using SMS text messages, is once again on the rise, according to new IRS reports. Here's what to do to avoid being a victim.