A sophisticated new phishing-as-a-service (PhaaS) platform named "Starkiller" is enabling cybercriminals to execute highly convincing attacks that can bypass traditional detection methods and multi-factor authentication (MFA). Unlike static phishing kits that host cloned login pages, Starkiller operates as a malicious proxy. It dynamically loads the *real* login page of the target brand—such as Microsoft, Apple, or Google—directly from the legitimate site. The service then sits invisibly between the victim and the real website, relaying all entered credentials and, critically, any one-time MFA codes back to the legitimate service in real-time. This technique not only harvests the data but also completes the authentication process on the victim's behalf, granting the attacker immediate access to the account while the user sees a normal, successful login.
The operational model of Starkiller significantly lowers the barrier to entry for conducting advanced phishing campaigns. As analyzed by security firm Abnormal AI, customers of the service simply select a brand to impersonate. Starkiller then generates a deceptive URL that visually mimics a legitimate domain while routing all traffic through the attacker's infrastructure. A key tactic involves using the "@" symbol in URLs—an old but effective trick. For example, a link may appear as "login.microsoft.com@[malicious-domain].ru". In a standard URL, everything before the "@" is treated as username information; the browser actually navigates to the domain *after* the "@" sign, which is the attacker-controlled phishing page. This creates a powerful visual deception for the victim.
This proxy-based approach presents a formidable challenge for both users and security systems. Because the victim is interacting with the genuine website's front-end, traditional indicators like poor SSL certificate quality or slight visual discrepancies in a cloned page are absent. The service also reportedly integrates with URL shorteners to further obfuscate the final destination. For defenders, detecting such attacks requires analyzing network traffic for anomalous redirections or identifying the relay infrastructure itself, rather than relying solely on static page analysis or domain reputation.
The emergence of Starkiller underscores a dangerous evolution in the cybercrime economy, where commoditized services are providing advanced capabilities once reserved for sophisticated threat actors. It highlights the critical need for a layered security approach. Organizations must reinforce user education, emphasizing scrutiny of URLs even when a page looks perfectly authentic. Technologically, implementing phishing-resistant MFA (like FIDO2/WebAuthn security keys) and deploying advanced email security solutions that analyze link behavior and sender reputation are becoming essential countermeasures against this new generation of proxy-based phishing threats.
