概要
A new phishing framework called Starkiller is raising the bar for “phishing-as-a-service” by serving victims real login pages of major brands through attacker infrastructure, making it difficult to distinguish from legitimate sites. This approach allows attackers to capture credentials and session cookies/tokens even after multi-factor authentication (MFA) has been completed.
Starkillerの仕組み
Unlike traditional phishing kits that host static HTML clones, Starkiller uses a headless Chrome browser inside a Docker container. It loads the target brand’s real site and proxies traffic between the victim and the legitimate service, delivering genuine HTML/CSS/JavaScript to the victim while keeping the attacker “in the middle.”
機能と特徴
The platform offers a polished control panel where operators can paste a brand’s website URL and deploy phishing flows with minimal technical effort. It includes real-time session monitoring, keystroke logging, geo-tracking, automated Telegram alerts, and campaign-style analytics.
- Real-time session monitoring
- Keystroke logging
- Geo-tracking
- Automated Telegram alerts
- Campaign-style analytics like visits and conversion rates
MFAバイパス機能
The core selling point of Starkiller is its ability to bypass MFA. Since the victim genuinely authenticates to the real site through a proxy, the attacker can capture session cookies and tokens after MFA has been completed.
URLマスキングとブランド詐称
The platform supports brand impersonation choices (e.g., major consumer and enterprise providers), keyword modifiers, and built-in URL shorteners to obscure the true destination. One technique described is the “@” (userinfo) URL trick, where content before “@” is treated as user info and the real destination comes after it.
防御策
The core defensive shift is to treat this as session hijacking at scale:
- Prioritize phishing-resistant authentication (FIDO/WebAuthn or PKI) for high-value users and apps
- Hunt for identity signals that survive perfect-looking pages: anomalous sign-ins, session token reuse from unexpected locations, and other behavioral patterns
- Tighten email and URL controls: expand short links, flag “@” userinfo patterns, and train users to verify the real domain (the part after “@” if present)
- Assume rapid follow-on: revoke active sessions, reset credentials, and review sign-in logs for token replay and new device registrations
元記事: https://gbhackers.com/new-starkiller-phishing-framework/