A phishing service called Starkiller has emerged that proxies real login pages in real time, capturing usernames, passwords, and multi-factor authentication codes as victims type them — bypassing one of the primary defenses the security industry has long relied upon.
Unlike conventional phishing kits that serve static copies of login pages, Starkiller loads the actual target website through a Docker container running a headless Chrome browser. That container acts as a man-in-the-middle reverse proxy, sitting between the victim and the legitimate site and forwarding everything back and forth. The victim interacts with what appears to be a real site — because it essentially is one.
How the Attack Works
Customers of the service select a brand to impersonate — Apple, Facebook, Google, Microsoft, and others are available — and the platform generates a deceptive URL designed to mimic the legitimate domain visually. The link exploits an old browser behavior: everything before an “@” symbol in a URL is treated as username data, while the actual destination follows after it. A link targeting Microsoft users, for example, would display “login.microsoft.com@[malicious URL]” in the address bar.
According to researchers Callie Baron and Piotr Wojtyla at security firm Abnormal AI, “every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.” The platform also integrates URL-shortening services to further obscure the malicious destination.
MFA Is Not a Shield Here
The attack neutralizes MFA because the victim is, in effect, authenticating directly with the real service through the proxy. Any one-time codes or authentication tokens the victim submits travel to the legitimate site in real time, and the resulting session cookies come back through the attacker’s infrastructure. The attacker captures those cookies and gains authenticated access to the account without ever needing the victim’s password again.
As the Abnormal researchers put it: “When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed.”
More Read
A Full Operator Dashboard
Starkiller is built less like a hacker tool and more like a commercial SaaS product. Operators get real-time screen streaming of victim sessions, a keylogger, cookie and session token theft, geo-tracking, and automated Telegram alerts when new credentials are captured. A campaign analytics dashboard displays visit counts, conversion rates, and performance graphs.
An optional add-on harvests email addresses and contact information from compromised sessions, with the stated purpose of building target lists for follow-on phishing campaigns.
The Group Behind It
Starkiller is one of several services operated by a threat group calling itself Jinkusu, which runs an active user forum where customers troubleshoot deployments, request features, and share techniques. The forum structure suggests an organized criminal enterprise with a support infrastructure, not a one-off tool released into the wild.
What separates this service from older phishing kits is the elimination of technical overhead. Configuring servers, certificates, proxy chains, and domain records previously required meaningful skill. Starkiller abstracts all of that away, lowering the barrier for anyone willing to pay.
Photo by GAUTAM KUMAR on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
