‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA
The Evolution of Phishing: Starkiller Raises the Bar
Phishing, a cybercrime tactic that involves tricking victims into divulging sensitive information, has been a persistent threat to online security for decades. While traditional phishing methods often rely on static copies of login pages, a new phishing-as-a-service offering called Starkiller has taken the game to a whole new level. Starkiller dynamically loads a live copy of the real login page, records everything the user types, and proxying the data from the legitimate site back to the victim.
How Starkiller Works
According to an analysis by the security firm Abnormal AI, Starkiller allows customers to select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft, etc.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker's infrastructure. For example, a phishing link targeting Microsoft customers appears as "login.microsoft.com@[malicious/shortened URL here]."
The "@ sign in the link trick is an oldie but goodie, because everything before the "@" in a URL is considered username data, and the real landing page is what comes after the "@" sign. Here's what it looks like in the target's browser:
Image: Abnormal AI. The actual malicious landing page is blurred out in this picture, but we can see it ends in .ru.
Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found. "The container then acts as a man-in-the-middle reverse proxy, forwarding the end user's inputs to the legitimate site and returning the site's responses," Abnormal researchers Callie Baron and Piotr Wojtyla wrote in a blog post on Thursday. "Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way."
Real-Time Session Monitoring and MFA Bypass
Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target's screen as they interact with the phishing page, the researchers said. "The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in," they wrote. "Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS platform would offer."
Abnormal said the service also deftly intercepts and relays the victim's MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time. "The attacker captures the resulting session cookies and tokens, giving them authenticated access to the account," the researchers wrote. "When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed."
The Rise of Enterprise-Style Cybercrime Tooling
Starkiller is just one of several cybercrime services offered by a threat group calling itself Jinkusu, which maintains an active user forum where customers can discuss techniques, request features, and troubleshoot deployments. One a-la-carte feature will harvest email addresses and contact information from compromised sessions, and advises the data can be used to build target lists for follow-on phishing campaigns.
This service strikes me as a remarkable evolution in phishing, and its apparent success is likely to be copied by other enterprising cybercriminals (assuming the service performs as well as it claims). After all, phishing users this way avoids the upfront costs and constant hassles associated with juggling multiple phishing domains, and it throws a wrench in traditional phishing detection methods like domain blocklisting and static page analysis.
The Implications of Starkiller
Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling, Abnormal researchers observed. "Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach," they wrote.
The implications of Starkiller are far-reaching and concerning. As phishing becomes more sophisticated and easier to execute, it's likely that more individuals and organizations will fall victim to these types of attacks. The fact that Starkiller offers real-time session monitoring and MFA bypass capabilities makes it even more concerning, as it allows attackers to gain access to sensitive information and systems with ease.
Conclusion
In conclusion, Starkiller is a game-changing phishing-as-a-service offering that has taken the cybercrime landscape to a whole new level. Its ability to dynamically load a live copy of the real login page, record everything the user types, and proxy the data from the legitimate site back to the victim makes it a formidable tool for attackers. The fact that it also offers real-time session monitoring and MFA bypass capabilities makes it even more concerning.
As the threat landscape continues to evolve, it's essential for individuals and organizations to stay vigilant and take proactive measures to protect themselves against these types of attacks. This includes implementing robust security measures, educating users about phishing tactics, and staying up-to-date with the latest threats and vulnerabilities.
Ultimately, the rise of Starkiller and other similar phishing-as-a-service offerings highlights the need for a more comprehensive and proactive approach to cybersecurity. By working together, we can stay one step ahead of these threats and protect ourselves against the evolving cybercrime landscape.
Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/
