‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

Security researchers at Abnormal AI have identified 'Starkiller,' a sophisticated phishing-as-a-service (PhaaS) platform that represents a significant evolution in credential theft. Unlike traditional phishing kits that host static fake pages, Starkiller dynamically loads legitimate brand login pages through a reverse proxy architecture, effectively neutralizing MFA protections while maintaining the full authentication flow. The service employs Docker containers with headless Chrome browsers and uses URL masking techniques (including the '@' sign trick) to deceive targets. Keylogging, session token theft, geo-tracking, and real-time Telegram alerts are included features. Operated by the threat group 'Jinkusu,' this platform dramatically lowers the barrier to entry for cybercriminals and undermines traditional anti-phishing defenses like domain blocklisting and static page analysis. Organizations should prioritize FIDO2/WebAuthn authentication and implement behavioral detection mechanisms to counter this threat.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

Security researchers at Abnormal AI have identified 'Starkiller,' a sophisticated phishing-as-a-service (PhaaS) platform that represents a significant evolution in credential theft. Unlike traditional phishing kits that host static fake pages, Starkiller dynamically loads legitimate brand login pages through a reverse proxy architecture, effectively neutralizing MFA protections while maintaining the full authentication flow. The service employs Docker containers with headless Chrome browsers and uses URL masking techniques (including the '@' sign trick) to deceive targets. Keylogging, session token theft, geo-tracking, and real-time Telegram alerts are included features. Operated by the threat group 'Jinkusu,' this platform dramatically lowers the barrier to entry for cybercriminals and undermines traditional anti-phishing defenses like domain blocklisting and static page analysis. Organizations should prioritize FIDO2/WebAuthn authentication and implement behavioral detection mechanisms to counter this threat. Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses. Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the victim and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses. There are countless phishing kits that would-be scammers can use to get started, but successfully wielding them requires some modicum of skill in configuring servers, domain names, certificates, proxy services, and other repetitive tech drudgery. Enter Starkiller , a new phishing service that dynamically loads a live copy of the real login page and records everything the user types, proxying the data from the legitimate site back to the victim. According to an analysis of Starkiller by the security firm Abnormal AI , the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et. al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure. For example, a phishing link targeting Microsoft customers appears as “login.microsoft.com@[malicious/shortened URL here].” The “@” sign in the link trick is an oldie but goodie, because everything before the “@” in a URL is considered username data, and the real landing page is what comes after the “@” sign. Here’s what it looks like in the target’s browser: Image: Abnormal AI. The actual malicious landing page is blurred out in this picture, but we can see it ends in .ru. The service also offers the ability to insert links from different URL-shortening services. Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found. “The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses,” Abnormal researchers Callie Baron and Piotr Wojtyla wrote in a blog post on Thursday . “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.” Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target’s screen as they interact with the phishing page, the researchers said. “The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in,” they wrote. “Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS [software-as-a-service] platform would offer.” Abnormal said the service also deftly intercepts and relays the victim’s MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time. “The attacker...