A sophisticated new phishing-as-a-service (PhaaS) platform known as “Starkiller” is emerging as a significant threat to organizations and individuals, thanks to its ability to proxy real login pages and capture credentials — including multi-factor authentication (MFA) tokens.
Traditional phishing attacks typically rely on static, cloned login pages that attempt to mimic legitimate services. These static pages often raise red flags when users view them closely or when brands update their interfaces. Starkiller, however, takes a very different and more dangerous approach. Instead of serving static copies, it uses a live connection to the legitimate website and acts as a reverse proxy, delivering the genuine site content to the victim in real time.
Here’s how it works:
- Live Proxy of Real Sites: Starkiller launches a hidden instance of a Chrome browser inside a Docker container and loads the real target site’s login page. This live content is then relayed to the victim — meaning the page they see is identical to the real one.
- Credential Harvesting: Because the tool sits between the victim and the legitimate site, everything the user types — including usernames, passwords, MFA codes, session tokens, and cookies — is captured as it passes through the proxy.
- MFA Bypass: The MFA codes entered by users are forwarded directly to the real service, allowing the attacker to capture authenticated session tokens. This effectively neutralizes MFA protections even when used as intended.
- Dashboard and Ease of Use: Starkiller is packaged with a slick control panel, analytics, and automation tools that make it easy for attackers to deploy convincing phishing campaigns without deep technical skills.
The platform also includes features that go beyond simple credential theft: real-time session monitoring, automated alerts when new credentials are captured, geographic tracking, and even tools to mask malicious links. Its SaaS-like usability and ongoing updates from the operators suggest this kit will be increasingly hard for defenders to spot and mitigate.
What This Means for Security
Starkiller represents a shift in phishing tactics from static impersonation to live, real-time credential relay attacks — often called adversary-in-the-middle (AiTM) attacks. These are harder to detect with traditional defenses like blocklists and page fingerprinting because the victim is interacting with a real site.
Recommendations for Mitigation:
- Increase Detection Based on Behavior: Focus on unusual login patterns and session anomalies rather than URL content alone.
- Strengthen Identity-Aware Defenses: Look into solutions that can detect compromised sessions even when MFA appears to succeed.
- Educate Users: Remind your teams to be wary of unexpected login prompts and verify email sources before entering credentials — especially when MFA is requested.
This latest phishing tool underscores how attackers are evolving, blending more advanced techniques with commodity crimeware. It’s a strong reminder that credential security awareness and layered detection strategies are more important than ever.