Starkiller Phishing Service Deploys Real Login Pages and MFA Proxying

Krebs on Security uncovered a new phishing‑as‑a‑service platform called Starkiller that supplies attackers with fully functional, brand‑accurate login pages for popular SaaS applications. The service goes further by proxying multi‑factor authentication (MFA) requests in real time, allowing threat actors to capture one‑time codes and complete the login flow without alerting the victim.

Because the pages and MFA handling are indistinguishable from legitimate services, credential theft rates have risen sharply, and traditional phishing filters often miss the attacks. Defenders must treat any unexpected MFA prompt as suspicious, enforce phishing‑resistant authentication methods (e.g., hardware tokens or FIDO2), and monitor for anomalous login patterns that could indicate a proxy‑based compromise.

Categories: Threat Intelligence, Identity & Access Management

Source: Read original article