‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

A sophisticated phishing-as-a-service tool called 'Starkiller' has emerged, enabling cybercriminals to bypass traditional phishing detection by proxying victims through legitimate websites while capturing credentials and MFA tokens in real-time. Developed by the threat group Jinkusu, the service loads authentic brand login pages (targeting Apple, Facebook, Google, Microsoft) through a reverse proxy architecture that defeats MFA despite the protection functioning correctly. The platform includes keylogging, session/cookie theft, geo-tracking, live screen monitoring, and automated Telegram alerts for credential harvesting. Starkiller dramatically lowers the barrier to entry for novice cybercriminals by eliminating the need to configure phishing infrastructure. Organizations should implement hardware security keys, certificate transparency monitoring, and user awareness training to mitigate this evolving threat landscape.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

A sophisticated phishing-as-a-service tool called 'Starkiller' has emerged, enabling cybercriminals to bypass traditional phishing detection by proxying victims through legitimate websites while capturing credentials and MFA tokens in real-time. Developed by the threat group Jinkusu, the service loads authentic brand login pages (targeting Apple, Facebook, Google, Microsoft) through a reverse proxy architecture that defeats MFA despite the protection functioning correctly. The platform includes keylogging, session/cookie theft, geo-tracking, live screen monitoring, and automated Telegram alerts for credential harvesting. Starkiller dramatically lowers the barrier to entry for novice cybercriminals by eliminating the need to configure phishing infrastructure. Organizations should implement hardware security keys, certificate transparency monitoring, and user awareness training to mitigate this evolving threat landscape. Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses. Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the victim and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses. There are countless phishing kits that would-be scammers can use to get started, but successfully wielding them requires some modicum of skill in configuring servers, domain names, certificates, proxy services, and other repetitive tech drudgery. Enter Starkiller , a new phishing service that dynamically loads a live copy of the real login page and records everything the user types, proxying the data from the legitimate site back to the victim. According to an analysis of Starkiller by the security firm Abnormal AI , the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et. al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure. For example, a phishing link targeting Microsoft customers appears as “login.microsoft.com@[malicious/shortened URL here].” The “@” sign in the link trick is an oldie but goodie, because everything before the “@” in a URL is considered username data, and the real landing page is what comes after the “@” sign. Here’s what it looks like in the target’s browser: Image: Abnormal AI. The actual malicious landing page is blurred out in this picture, but we can see it ends in .ru. The service also offers the ability to insert links from different URL-shortening services. Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found. “The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses,” Abnormal researchers Callie Baron and Piotr Wojtyla wrote in a blog post on Thursday . “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.” Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target’s screen as they interact with the phishing page, the researchers said. “The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in,” they wrote. “Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS [software-as-a-service] platform would offer.” Abnormal said the service also deftly intercepts and relays the victim’s MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time. “The attacker captures the resulting session cookies and tokens, giving them authenticated access to the...