This Phishing Service Shows You the Real Login Page—And Steals Everything You Type

Most phishing kits work by creating fake copies of login pages. The fonts are slightly off, the layout is outdated, and security researchers can blocklist the templates. A new phishing platform called Starkiller throws that entire approach away. Instead, it loads the actual login page from Google, Microsoft, or whichever service it is targeting—and acts as an invisible relay between you and the real site.

The result is a phishing attack that looks perfect because it is the real page. And your multifactor authentication will not save you.

How Starkiller Works

Starkiller is built on a reverse proxy architecture. When a victim clicks a phishing link, the platform spins up a headless Chrome instance inside a Docker container and loads the legitimate login page of the targeted service. The victim sees and interacts with the real website—every button, every font, every security badge is authentic because it is the real page.

But every keystroke passes through the attacker's infrastructure first. When you enter your username, Starkiller captures it and forwards it to the real site. When you enter your password, same thing. When the site asks for your MFA code and you type it in, Starkiller intercepts the code and submits it to the legitimate service in real time—before the code expires.

The attacker now has your active session tokens, your cookies, and full access to your account. You successfully authenticated. So did they.

Why Traditional Defenses Fail

Conventional phishing detection relies on identifying fake pages. Security vendors maintain databases of known phishing templates and block URLs that serve cloned login forms. Starkiller renders this approach useless because there are no template files to blocklist. The page served to victims is the genuine article, loaded fresh from the legitimate service each time.

Multifactor authentication, long considered the gold standard for account protection, is equally ineffective. MFA works by requiring something you know (a password) and something you have (a phone or hardware key). But when the attacker sits between you and the real service, they simply relay both factors in real time. The authentication works exactly as designed—it just happens to pass through a man in the middle.

Phishing as a Subscription Service

Starkiller is not a tool built by nation state hackers for targeted espionage. It is a commercial product, sold as a subscription based SaaS platform by a threat group called Jinkusu. The service includes regular platform updates, customer support via Telegram, and campaign analytics showing visit counts, conversion rates, and performance metrics.

The platform targets major services including Google, Microsoft, Facebook, Apple, Amazon, Netflix, PayPal, and various banking sites. Operators can launch attacks without understanding reverse proxies, certificate management, or Docker. They just pick a brand and click start.

Additional features are available as add ons: real time session monitoring that lets attackers watch victims' screens live, automated Telegram alerts when new credentials arrive, email harvesting from compromised sessions for follow on campaigns, and URL masking through shortening services to disguise malicious links.

The URL Trick

Starkiller uses a clever URL obfuscation technique that exploits the "@" symbol. URLs like login.microsoft.com@[malicious-domain] appear to point to Microsoft but actually route to the attacker's server. The text before the "@" symbol is treated as authentication credentials by browsers, not as the domain name—but most users do not know that.

Combined with URL shortening services, these links become nearly impossible for average users to inspect before clicking.

How to Protect Yourself

Standard MFA codes sent via SMS or authenticator apps cannot stop proxy based attacks. But some defenses still work:

• Hardware security keys (FIDO2/WebAuthn) are the strongest defense. They verify not just your identity but the domain you are authenticating with, making proxy attacks impossible.
• Passkeys offer similar protection by binding authentication to specific domains.
• Never click login links in emails. Navigate to services directly by typing the URL or using bookmarks.
• Inspect URLs carefully before entering credentials. Look for the "@" symbol and verify the actual domain after it.

The researchers who discovered Starkiller—Callie Baron and Piotr Wojtyla at Abnormal AI—put it bluntly: MFA protections can be "effectively neutralized despite functioning exactly as designed." The only authentication methods that survive a proxy attack are those that cryptographically bind to the real domain. Everything else is just a speed bump.