A newly uncovered phishing kit allows cybercriminals to steal usernames and passwords with a toolkit which spoofs live login pages and bypasses multi-factor authentication (MFA) protections, cybersecurity analysts have warned.
Dubbed Starkiller, the phishing platform has been detailed by researchers at Abnormal, who have described it as “a commercial-grade cybercrime platform” and “a comprehensive toolkit for stealing identities at scale”.
The tool is distributed on the dark web like a software-as-a-service (SaaS) product, complete with a subscription model, updates and customer support.
Researchers noted that while the Starkiller name is shared with a legitimate red team penetration testing tool by BC Security, the two platforms are not related.
What makes Starkiller notable is how it differs from many other phishing kits.
Most rely on static HTML clones of the login page the attackers want to replicate. But with Starkiller, the phishing site is launched through a proxy operated by attacker-controlled infrastructure which is indistinguishable from the real login portal being used as template.
“Recipients are served genuine page content directly through the attacker’s infrastructure, ensuring the phishing page is never out of date. And because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist,” Abnormal researchers explained.
The proxy is launched in a headless Chrome instance and gives the user little to no reason for suspicion. However, the infrastructure means that the credentials entered are set directly to the attackers.
The Starkiller kit provides attackers with the ability to mimic Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, various banks and many more online services. The tool generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure.
Starkiller also offers cybercriminals real-time session monitoring, allowing them to watch the target interact with the phishing page live, as well as the use of a keylogger to capture anything the victim enters.
How Starkiller Enables MFA Bypass
The way Starkiller has been built also enables it to bypass MFA. This is because the targeted user is authenticating with the real site through the proxy.
That means any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time, providing attackers with direct access to the account.
According to Abnormal, the most likely way which Starkiller attacks are distributed is by phishing emails which imitate legitimate alerts and notifications from the likes of Google and Microsoft.
The toolkit is sold as a subscription-based toolkit with a monthly fee, meaning users are provided with updates to the platform and helpdesk support via Telegram.
“The level of ongoing development means Starkiller is likely to become increasingly difficult to detect and defend against,” warned Abnormal researchers, who have also described the tool as “a significant escalation in phishing infrastructure.”
To defend against attacks deployed by Starkiller, it’s recommended that organizations watch for anomalous login patterns or session token reuse from unexpected locations.
