Meta News

‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

Summary: A new phishing-as-a-service tool called Starkiller dynamically loads real login pages, bypassing traditional detection methods and potentially neutralizing MFA protections.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the victim and the legitimate site — forwarding the victim's username, password, and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

Starkiller dynamically loads a live copy of the real login page and records everything the user types, proxying the data from the legitimate site back to the victim. According to an analysis by security firm Abnormal AI, the service allows customers to select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure.

The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials are received. The “URL Masker” feature allows configuring the malicious link to appear more legitimate. Starkiller is just one of several cybercrime services offered by a threat group calling itself Jinkusu, which maintains an active user forum where customers can discuss techniques, request features, and troubleshoot deployments.

This service strikes me as a remarkable evolution in phishing, and its apparent success is likely to be copied by other enterprising cybercriminals (assuming the service performs as well as it claims). After all, phishing users this way avoids the upfront costs and constant hassles associated with managing multiple phishing domains, and it disrupts traditional phishing detection methods like domain blocklisting and static page analysis. It also significantly lowers the barrier to entry for novice cybercriminals.

Key facts

  • dynamically loads real login pages
  • bypasses traditional detection methods
  • neutralizes MFA protections

Why it matters

Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling. This service can neutralize MFA protections despite functioning exactly as designed, posing a serious threat to online security and business continuity.

Key metrics

  • Ease of use for novice cybercriminals: significantly reduced entry barrier (Increase in phishing attempts by less skilled actors)
Tags:
phishing cybersecurity login pages MFA

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: Starkiller phishing service, Abnormal AI, Jinkusu threat group

Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

Published on