A newly uncovered phishing kit allows cybercriminals to steal credentials with a sophisticated toolkit that spoofs live login pages and bypasses multi-factor authentication (MFA) protections, cybersecurity analysts at Abnormal Security have warned.
Dubbed Starkiller, the phishing platform has been described as “a commercial-grade cybercrime platform” and “a comprehensive toolkit for stealing identities at scale.” The tool is distributed on the dark web as a SaaS product, complete with subscription pricing, regular updates, and customer support via Telegram.
How Starkiller Differs from Traditional Phishing Kits
Unlike most phishing kits that rely on static HTML clones of login pages, Starkiller takes a fundamentally different approach. The phishing site is launched through a reverse proxy operated by attacker-controlled infrastructure, serving victims the genuine page content in real-time.
“Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist,” Abnormal researchers explained.
The proxy runs in a headless Chrome instance, giving users little to no reason for suspicion — while credentials entered are captured directly by the attackers.
Extensive Target Support
Starkiller provides attackers with the ability to mimic:
- Google and Microsoft
- Facebook and Apple
- Amazon and Netflix
- PayPal and various banks
- Many other online services
The tool generates deceptive URLs that visually mimic legitimate domains while routing all traffic through attacker infrastructure.
Real-Time Session Hijacking and MFA Bypass
Starkiller offers cybercriminals real-time session monitoring, allowing them to watch targets interact with the phishing page live. A built-in keylogger captures everything the victim types.
Most critically, Starkiller enables MFA bypass. Because the targeted user is authenticating with the real site through the proxy, any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time — providing attackers with direct access to the account.
Distribution and Defense
Starkiller attacks are likely distributed via phishing emails imitating legitimate alerts from services like Google and Microsoft.
“The level of ongoing development means Starkiller is likely to become increasingly difficult to detect and defend against,” warned Abnormal researchers.
Recommended defenses:
- Monitor for anomalous login patterns
- Watch for session token reuse from unexpected locations
- Implement hardware-based FIDO2 authentication where possible
- Train users to verify URLs before entering credentials
