The Rise of Stealthy Phishing-as-a-Service: Starkiller

The Rise of Stealthy Phishing-as-a-Service: Starkiller

The Rise of Stealthy Phishing-as-a-Service: Starkiller

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the victim and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

How Starkiller Works

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et. al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure.

For example, a phishing link targeting Microsoft customers appears as “login.microsoft.com@[malicious/shortened URL here].” The “@” sign in the link trick is an oldie but goodie, because everything before the “@” in a URL is considered username data, and the real landing page is what comes after the “@” sign.

Technical Details

Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found. The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses.

Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way. Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target’s screen as they interact with the phishing page.

Features and Capabilities

The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in. Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS platform would offer.

Abnormal said the service also deftly intercepts and relays the victim’s MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time.

Impact and Conclusion

Starkiller is just one of several cybercrime services offered by a threat group calling itself Jinkusu, which maintains an active user forum where customers can discuss techniques, request features and troubleshoot deployments. This service strikes me as a remarkable evolution in phishing, and its apparent success is likely to be copied by other enterprising cybercriminals.

After all, phishing users this way avoids the upfront costs and constant hassles associated with juggling multiple phishing domains, and it throws a wrench in traditional phishing detection methods like domain blocklisting and static page analysis.

Frequently Asked Questions

  1. What is Starkiller? Starkiller is a phishing-as-a-service offering that lets customers sidestep traditional pitfalls of phishing by using cleverly disguised links to load the target brand’s real website.
  2. How does Starkiller work? Starkiller generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure, and acts as a relay between the victim and the legitimate site.
  3. What features does Starkiller offer? Starkiller offers keylogger capture, cookie and session token theft, geo-tracking of targets, and automated Telegram alerts when new credentials come in, as well as campaign analytics.
  4. What is the impact of Starkiller? Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling, and gives low-skill cybercriminals access to attack capabilities that were previously out of reach.
  5. How can I protect myself from Starkiller? To protect yourself from Starkiller, be cautious when clicking on links, especially those that appear to be from legitimate sources, and use two-factor authentication whenever possible.