‘Starkiller’ Phishing‑as‑a‑Service Relays Real Login Pages to Harvest Credentials and MFA
What Happened — A new Phishing‑as‑a‑Service (PhaaS) named Starkiller proxies live login pages from targeted brands, forwarding victim‑entered credentials, MFA codes, cookies and session tokens to the legitimate site while logging everything on attacker‑controlled infrastructure.
Why It Matters for TPRM —
- Enables credential‑and‑MFA theft at scale, increasing the risk of account takeover for any third‑party service.
- Bypasses traditional URL‑blocking and takedown tactics by loading the genuine site behind a deceptive URL.
- Provides real‑time session monitoring, giving threat actors immediate visibility into victim behavior and facilitating rapid lateral movement.
Who Is Affected — Organizations across all sectors that rely on cloud‑based SaaS applications (e.g., Microsoft 365, Google Workspace, Apple ID) and any vendor that integrates with these identity providers.
Recommended Actions —
- Review authentication flows for high‑value accounts and enforce conditional access policies that block proxy‑based logins.
- Deploy anti‑phishing solutions that inspect URL structures (e.g., “@” tricks) and enforce safe‑link scanning.
- Enforce MFA methods resistant to real‑time relay attacks (e.g., hardware security keys, push‑notifications with device binding).
Technical Notes — The service spins up a Docker container running headless Chrome, acting as a man‑in‑the‑middle reverse proxy. It captures keystrokes, cookies, session tokens, geo‑location data, and sends Telegram alerts on new credentials. No known CVE is involved; the attack vector is sophisticated phishing using URL‑obfuscation and live site proxying. Source: Krebs on Security