The Starkiller phishing service represents a significant advancement in phishing capabilities by combining real-time session hijacking with multi-factor authentication (MFA) bypass. Unlike traditional phishing kits that rely on static replicas of login pages, Starkiller dynamically loads the legitimate login page of targeted brands such as Apple, Microsoft, Google, and Facebook, then proxies victim interactions through attacker-controlled infrastructure.

Delivered as a phishing-as-a-service offering by the threat group known as Jinkusu, Starkiller automates complex steps including server setup, domain management, and SSL certificate deployment, dramatically lowering the technical barriers for cybercriminals. Customers select a target brand and receive a deceptive URL crafted to resemble the legitimate domain using techniques like the "@" symbol to mask the malicious destination. For example, a Microsoft-targeted link may appear as "login.microsoft.com@[malicious-url]", exploiting URL parsing behavior where everything before "@" is treated as user info, and the actual domain follows.

Upon victim interaction, Starkiller spins up a Docker container running a headless Chrome browser instance that loads the genuine login page. This container acts as a man-in-the-middle reverse proxy, forwarding keystrokes, form submissions, and session tokens to the authentic site and returning responses to the victim’s browser. This approach ensures all credentials, including MFA codes, are captured in real time.

According to research published by Abnormal AI security analysts Callie Baron and Piotr Wojtyla, Starkiller logs every input and session token, enabling attackers to hijack authenticated sessions despite MFA protections functioning as designed. The platform includes features such as keylogging, cookie theft, geolocation tracking, and automated Telegram alerts for new credentials. Additionally, it provides campaign analytics with visit counts, conversion rates, and performance graphs, mimicking legitimate SaaS dashboards.

Starkiller’s ability to relay the victim’s entire authentication flow neutralizes MFA security by capturing authentication tokens and session cookies as they are issued by the legitimate service. This renders traditional defenses like domain blocklisting and static page detection ineffective since the phishing page is a live proxy of the real site.

The service also offers modules to harvest email addresses and contact information from compromised sessions, which can be leveraged for subsequent phishing campaigns. Jinkusu maintains an active user forum supporting customers with troubleshooting and feature requests.

Affected platforms primarily include web browsers on Windows, macOS, and mobile devices where victims interact with phishing links. The attack targets users of major online services with MFA enabled, such as Microsoft 365, Google Workspace, and Apple ID.

Detection signatures should focus on anomalous HTTP(S) traffic patterns indicative of proxying behavior, unusual use of "@" in URLs, and the presence of Docker containers running headless browsers in suspicious hosting environments. Network defenders can leverage URL filtering to block domains known to be associated with Starkiller infrastructure, although URL masking complicates this approach.

Removal guidance involves educating users on phishing link nuances, enforcing endpoint security controls to detect and block suspicious browser automation, and employing MFA methods resistant to session hijacking, such as hardware tokens implementing FIDO2 standards. Incident responders must invalidate sessions and reset credentials immediately upon compromise.

Reference:

  • Abnormal AI blog: https://abnormal.ai/blog/starkiller-phishing-kit
  • CVE-2023-XXXXX related to headless browser exploits (investigate updates)

Starkiller exemplifies a shift toward commoditized phishing platforms that provide enterprise-style tooling to low-skill cybercriminals, elevating risk to organizations relying on traditional anti-phishing defenses.