A growing phishing-as-a-service (PhaaS) tool reliably undermines traditional methods for detecting phishing attacks, both technical and psychological.
“Starkiller,” described this week by researchers at Abnormal AI, is packaged and sold with a sleekness comparable to legitimate software-as-a-service (SaaS) platforms. It’s got a clean, retrofuturist dashboard, sporting real-time campaign analytics. It gets periodic updates, and even allows its cybercriminal users to log in using two-factor authentication (2FA).
It’s got substance to back up its style, too. Its website advertises “enterprise-grade phishing infrastructure” for “campaigns that bypass modern security systems.” Though its self-reported 99.7% success rate is almost certainly fictional, it really does help attackers bypass many of the traditional phishing security techniques so many enterprises rely on, according to Abormal AI’s research.
Its foremost trick is that, where other PhaaS platforms might help hackers create phishing pages that convincingly mimic popular websites, Starkiller goes one step further, proxying the actual websites that users want to visit and swiping their credentials along the way.
For Callie Baron, senior content marketing manager for threat intelligence at Abnormal AI, “What is novel isn’t a single feature; it’s the architecture and packaging. Starkiller turns high-end reverse-proxy tradecraft into a turnkey, SaaS-style workflow that dramatically lowers the skill barrier and removes the usual weak points defenders rely on.”
Meet Starkiller
Starkiller offers an end-to-end phishing suite, starting with its techniques for masking URLs.
From Starkiller’s graphical user interface (GUI), users can simply select one of a variety of brand name companies to impersonate, from Apple to PayPal to Instagram. Then they can select a keyword to modify the link, like “login” or “security,” depending on the nature of their scam.
Because “login.apple.com” isn’t a domain available to hackers, Starkiller uses two classic tricks to make the URL as close to realistic as possible. It integrates URL shorteners, and employs the “@” symbol technique. Browsers treat characters before an @ symbol in a URL as innocuous user info, but still display it prominently, allowing attackers to frontload a fake, legitimate-looking half of a domain and deemphasize the actual domain users are funneled to.
When a victim clicks the malicious link, they don’t see some diligently crafted landing page made to look almost but not quite exactly like a legitimate one. They’re brought to the actual website they intended to go to. The catch is, that site is being funneled through an attacker’s cloud infrastructure. Starkiller spins up a Docker container, running a headless Chrome instance for the user.
Once the victim enters their login information, or even a multifactor authentication (MFA) code, they’ll successfully get into their account. Meanwhile, their hacker will have nabbed the credentials they entered and the session token granted to the victim for having passed the MFA check, allowing the hacker to log into the account as well.
Even better — this entire process is essentially automated. Besides identifying which service they’d like to impersonate, all a Starkiller user really has to do is sit back and track their infections from an easy-to-use GUI. The program does all the dirty work.
Baron explains, “It centralizes container life cycle, builds, and active infrastructure alongside phishing deployment and active session monitoring, explicitly reducing the need to understand reverse proxies and certificates. Lowering that technical barrier expands who can execute high-end phishing tradecraft and is a major differentiator in real-world impact.”
How Starkiller Beats Standard Phishing Detection
Starkiller’s login page proxying technique saves its users all kinds of time they’d otherwise have to spend designing phishing pages. It also shields them from “template drift” — having to update their phishing pages as the real pages they’re mimicking get updated.
More than anything, though, “it highlights why traditional phishing detection approaches — like static page analysis, blocklists, and reputation-based URL filtering — can fall short. Because Starkiller proxies real login pages live rather than serving a cloned template, there often isn’t a stable phishing-page fingerprint to match, and the victim experience can look indistinguishable from a legitimate sign-in,” Baron says.
From her perspective, Starkiller represents a broader shift in phishing infrastructure, with attackers moving toward real-time, session-aware compromises rather than straightforward credential harvesting. In the face of that, she says, “Organizations have to shift toward behavioral and identity-aware detection. This means monitoring for anomalous sign-ins, session token reuse, impossible travel patterns, and other signals of compromised sessions, even when MFA was technically completed and the login page looked legitimate.”
“If defenders are only asking, ‘Was MFA completed?’ they’re asking the wrong question,” she argues. “The more important question is whether the authenticated session itself behaves like the legitimate user.”
