Abnormal has discovered a new phishing kit that allows bad actors to steal usernames and passwords with a toolkit that spoofs live login pages and bypasses multi-factor authentication (MFA) protections.
Most phishing kits depend on static HTML clones of login pages, which, while effective, are inherently fragile. Even a small interface update from the brand being impersonated can instantly reveal the deception.
“A new framework called Starkiller (not to be confused with the legitimate BC Security red team tool of the same name) takes a different approach,” Abnormal researchers said.
A Commercial-grade Platform
It is being sold openly as a commercial-grade cybercrime platform by a threat group calling itself Jinkusu. This scourge is being distributed like a SaaS solution.
“It launches a headless Chrome instance (a browser that operates without a visible window) inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site.”
Recipients receive genuine page content directly through the malefactor’s infrastructure, so the phishing page is always up to date. Moreover, because Starkiller proxies the real site live, there are zero template files for security vendors to fingerprint or blocklist.
In this way, Starkiller’s control panel equips attackers with a polished dashboard for running phishing campaigns. The core workflow requires practically no technical skill. “An attacker enters a brand’s real URL, and the platform spins up a Docker container running a headless Chrome instance that loads the real login page.”
MITM Reverse Proxy
Abnormal says the container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses. “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.”
Starkiller also offers threat actors real-time session monitoring, so they can live-stream the target’s screen as they interact with the phishing page.
A keylogger is included, so bad actors can capture each keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials arrive.
“Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS platform would offer,” the researchers added.
MFA Bypass
The MFA bypass is worth noting. Since the actual end user is logging in to the actual site via the proxy server, any one-time codes or authentication tokens they provide will be relayed to the actual service in real time.
The attacker will then harvest session cookies and tokens, giving them access to the account. When attackers relay the entire login process in real time, MFA can be bypassed even when it functions as designed.
Starkiller’s marketing materials highlight how the platform is designed for financial fraud, with advertised modules for harvesting credit card numbers, crypto wallet seeds, bank accounts, and payment details. The platform also advertises fake software update templates for browsers such as Chrome and Firefox, which are intended to deceive victims into downloading spurious files, as well as an EvilEngine Core module that boasts undetectable phishing links.
The platform also automatically handles all operational infrastructure. Docker engine status, image builds, and active containers are managed from one panel, meaning attackers don’t need to understand reverse proxies or certificate management to carry out an attack.
The low technical barrier is what makes Starkiller particularly dangerous, Abnormal said.
MFA Isn’t Impenetrable
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commented: “MFA is an essential part of keeping accounts secure, but like anything, it isn’t an impenetrable forcefield. Attackers still target humans to build trust and get them to willingly hand over credentials or grant access.”
He says we can only expect more MFA-bypass with realtime phishing, which is why t’s important to prioritise phishing-resistant MFA such as FIDO2, because not all MFA is created equally.
“Beyond that, organizations should invest in controls to detect unknown logins from new locations or devices and have response plans in place. Also, organizations need to train their users so they can pause and verify whenever anything appears suspicious.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.