Starkiller Phishing Service Proxies Real Login Pages to Bypass MFA

Reverse Proxy Architecture Enables Real-Time Credential Harvesting

Krebs on Security has identified a sophisticated phishing-as-a-service platform called "Starkiller" that fundamentally changes the phishing threat model. Unlike traditional static phishing pages that copy login interfaces, Starkiller operates as a reverse proxy between victims and legitimate websites.

The service loads actual target websites through cleverly disguised URLs, then intercepts and forwards all authentication data, including usernames, passwords, and multi-factor authentication codes, to the legitimate destination in real-time. This approach provides two critical advantages over conventional phishing operations:

• Authentic user experience: Victims interact with genuine login pages, reducing suspicion
• MFA token interception: Real-time relay enables capture and immediate use of time-sensitive authentication codes

Operational Sophistication

The Starkiller platform addresses traditional phishing operational challenges through technical innovation:

Evasion Mechanisms

• Disguised URLs that appear legitimate to cursory inspection
• Real-time proxy infrastructure that presents actual target websites
• Reduced static content footprint limiting traditional detection methods

Service Model

As a phishing-as-a-service offering, Starkiller lowers the technical barrier for threat actors while providing:

• Turnkey phishing infrastructure
• Real-time credential harvesting capabilities
• Built-in MFA bypass functionality

Impact on Current Defenses

This technique represents a significant escalation in phishing sophistication that challenges existing security assumptions:

Multi-Factor Authentication Bypass: Traditional MFA provides limited protection against real-time relay attacks, as tokens can be captured and immediately forwarded to legitimate services before expiration.

Detection Evasion: Static content analysis and URL reputation systems face reduced effectiveness when confronting proxy-based architectures that serve legitimate content through malicious infrastructure.

User Training Limitations: Standard phishing awareness training emphasizing suspicious URLs and fake login pages becomes less applicable when users interact with genuine website interfaces.

Defensive Considerations

Organizations should evaluate current phishing defenses against proxy-based attack vectors:

• Implement advanced email security solutions capable of analyzing link destinations beyond surface URLs
• Consider phishing-resistant authentication methods such as FIDO2/WebAuthn that bind authentication to specific domains
• Deploy endpoint detection capabilities that can identify suspicious proxy traffic patterns
• Update security awareness training to address sophisticated phishing techniques beyond static page recognition

Sources

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/