Starkiller Phishing Service Uses Real Login Pages and MFA to Bypass Security Measures

Most phishing websites rely on static copies of login pages for popular services, which are often quickly identified and taken down by security firms. However, a new phishing-as-a-service offering, Starkiller, eliminates these vulnerabilities by using real login pages and acting as a relay between victims and legitimate sites.

The service captures usernames, passwords, and multi-factor authentication (MFA) codes, forwarding them to attackers while returning responses from the legitimate site. This method bypasses traditional phishing detection by avoiding static, easily flagged pages.

How Starkiller Works: A Man-in-the-Middle Phishing Proxy

According to an analysis by Abnormal AI, Starkiller allows customers to select a target brand—such as Apple, Facebook, Google, or Microsoft—and generates a deceptive URL that mimics the legitimate domain. For example, a phishing link targeting Microsoft users appears as:

login.microsoft.com@[malicious/shortened URL]

The “@” symbol in the URL tricks users because everything before it is treated as username data, while the real landing page follows the “@” sign. Starkiller also supports URL-shortening services to further obfuscate malicious links.

Technical Breakdown: Docker, Headless Chrome, and Real-Time Monitoring

Once a target URL is selected, Starkiller spins up a Docker container running a headless Chrome browser instance that loads the real login page. Researchers Callie Baron and Piotr Wojtyla explained in a Thursday blog post:

"The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses. Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way."

This setup enables real-time session monitoring, allowing attackers to live-stream a victim’s interactions with the phishing page. Starkiller also includes additional malicious features:

• Keylogger capture for every keystroke
• Cookie and session token theft for direct account takeover
• Geo-tracking of targets
• Automated Telegram alerts when new credentials are captured
• Campaign analytics with visit counts, conversion rates, and performance graphs

Starkiller’s MFA Bypass: How It Steals Authentication Tokens

Unlike traditional phishing kits, Starkiller intercepts and relays MFA credentials because victims authenticate directly with the real site through the proxy. Any authentication tokens submitted are captured and forwarded to attackers, enabling seamless account takeover.