‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA
A new phishing-as-a-service platform called Starkiller uses real login pages instead of fake copies, proxying credentials and MFA codes between victims and legitimate sites — making it nearly impossible for users to detect.
How It Works
Unlike traditional phishing kits that use static copies of login pages, Starkiller dynamically loads the actual target website through a proxy. When a victim enters credentials and MFA codes, Starkiller forwards them to the legitimate site and relays the real response back.
The deception: URLs use the "@" sign trick — e.g., "login.microsoft.com@[malicious-url].ru" — where everything before @ looks like a legitimate domain but is actually just username data.
Technical Details
- Generates deceptive URLs mimicking legitimate domains
- Spins up Docker containers running headless Chrome browser instances
- Supports major brands: Apple, Facebook, Google, Microsoft
- Can insert URL-shortening service links for additional obfuscation
- Removes the need for scammers to configure servers, domains, and certificates manually
Why It Matters
This represents a significant evolution in phishing attacks. Because the victim sees the real website (proxied through the attacker), there are no visual clues that something is wrong. Traditional anti-phishing detection based on page appearance is ineffective.
Analysis by Abnormal AI revealed the full scope of the service's capabilities.
Source: Krebs on Security