Cybersecurity researchers disclosed a new phishing suite named Starkiller that proxies legitimate login pages through attacker infrastructure to bypass multi factor authentication and capture keystrokes, session tokens and one time codes.
KEY FACTS
- Incident New phishing platform called Starkiller is in active use
- Technique Proxies live login pages using a headless browser inside a container
- Impact Captures keystrokes, form submissions, session tokens and MFA codes
- Delivery Dashboard supports brand selection and URL masking including shorteners
A technical analysis from Abnormal Security technical analysis said Starkiller launches a headless Chrome instance inside a Docker container and acts as a reverse proxy between victims and the legitimate site.
The report says the proxy serves genuine page content in real time so phishing pages never go out of date. Attackers can enter a target brand or real URL in the control panel and mask links with popular shorteners to hide the destination.
All user input routed through the proxy can be captured. The tool forwards keystrokes, form submissions and session tokens to the legitimate site while storing copies on attacker infrastructure for account takeover.
Observers note this approach lowers the skill barrier for large scale phishing. The disclosure also describes other recent campaigns that abused OAuth device code flows and multi stage chains targeting financial institutions to sidestep MFA and harvest credentials.
WHY IT MATTERS
By proxying live sites and capturing authentication tokens, Starkiller makes it easier for attackers to bypass MFA and achieve persistent access. The centralised dashboard and URL masking raise the risk of scalable credential harvesting for organisations and individuals.