Starkiller the phishing that gets between the victim and the real site to beat the MFA

A new phishing kit called Starkiller has turned on the alarms in the cybersecurity world. Researchers have found that this service is not limited to replicating false pages, but that acts as a living intermediary between the victim and the legitimate site, which allows you to avoid many of the traditional protections, including multifactor authentication (MFA).

According to the analysis published by Abnormal Security, Starkiller is marketed as a platform that facilitates the creation and management of fraudulent campaigns: from a control panel, attackers can choose which brand to plant, enter the actual target URL or combine keywords such as "login" or "verify" to disguise links, as well as integrate shortens to hide the final destination. You can read Abnormal's report here: abnormal.ai - Starkiller.

The technique it uses is technically simple but dangerous: a headless Chrome instance is launched into a Docker container, the legitimate web is loaded and the container works as a proxy inverse. In this way, the victim visualizes genuine content served by the attacker's infrastructure and any interaction - each push, send form and session token - passes through his hands. Use of Chrome headless and containers allows to automate and scale this operation with low technical requirements for the operator.

The risk is double: on the one hand, the page the victim sees is always updated because it is being obtained directly from the real site; on the other, because there are no static templates of the fake page, fingerprint-based detection systems have less chance of identifying the scam. Abnormal points out that this combination of URL ofuscation, session kidnapping and real-time proxy makes deception an accessible tool even for attackers with few technical skills.

Starkiller fits into a broader trend: phishing kits that evolve into "fraud as service" models, while incorporating techniques to capture not only credentials but also single-use codes, tokens and other authentication factors. A close example is the progression observed by Datadog in the 1Phish kit, which passed from a simple credentials collector to a platform capable of filtering bots, capturing OTP and recovery codes, and implementing browser footprint logic to improve success rates. Datadog analysis explains how each iteration adds controls to avoid automatic analysis and increase effectiveness: securitylabs.datadoghq.com - 1Phish.

Moreover, approaches that use legitimate protocols to obtain persistent access are not rare. KnowBe4 researchers documented a campaign that abuses the OAuth 2.0 device clearance flow to convince users to enter a temporary code into Microsoft's legitimate website; when the victim does, the attacker receives a valid OAuth token that gives him access to the mailbox or corporate data. This type of deception shows that redirecting the victim to legitimate domains does not prevent usurpation if the authorization process is manipulated: KnowBe4 - campaign that eludes MFA.

Financial institutions have not been immune either. A recent report by BlueVoyant describes campaigns targeting banks and credit cooperatives in the US. UU used imitated domains and multi-layer escape chains: false captches, intentional delays, Base64-coded scripts and readdresses designed to confuse both victims and automatic scanners. This approach makes the attack seem legitimate to the naked eye and complicates its detection by automated tools: bluevoyant.com - campaign against the financial sector.

In view of this scenario, there is a clear lesson: the traditional MFA based on SMS codes or OTP applications can no longer be enough if the opponent captures the code in real time or deceives the user to allow legitimate access. This is why experts insist on moving towards authentication methods that are inherently resistant to phishing, such as FIDO2 standards and physical security keys, which prevent a third party from reusing credentials or tokens granted for another session. To deepen these methods, the FIDO Alliance offers useful resources: fidoalliance.org.

At the organizational level, defenses must combine technical controls with policies and monitoring. This means limiting and auditing the registration of applications that can request tokens, applying strict consent policies on cloud platforms, monitoring OAuth concessions and detecting abnormal uses of sessions and tokens. Microsoft has documentation on the flow of device code and controls that help to mitigate abuse: learn.

There is no silver bullet: effective safety against these campaigns requires layers. Advanced mail filtering, link behavior analysis, navigation isolation to open suspicious sites in controlled environments and an employee awareness culture reduce risk. It is also important that organizations have rapid detection and response to revoke committed permits and tokens and limit damage when an incident occurs.

The industry is moving forward, and the good news is that public research and intelligence exchange help to identify patterns and protect infrastructure. The other side is that fraud continues to be professionalized and made accessible as a service, which requires a coordinated response between security providers, companies and users. Keeping informed, adopting phishing-resistant authentication and monitoring the use of OAuth and tokens are essential steps not to become the next victim.