cybersecurity researchers have identified a new and sophisticated phishing platform that is being used to circumvent multi-factor authentication protections. The toolkit, named Starkiller, employs a technique known as an adversary-in-the-middle reverse proxy to steal login credentials and one-time codes in real time.
How the Starkiller Platform Operates
The threat group behind the platform, calling itself Jinkusu, advertises it as a service for cybercriminals. Customers are granted access to a dashboard where they can select a well-known brand to impersonate or directly input a legitimate company’s web address. The system then creates a fraudulent but convincing copy of the brand’s login page.
When a target user visits the phishing link, their traffic is routed through the attacker’s proxy server. This server sits between the user and the genuine website, silently intercepting and forwarding data both ways. This allows the attacker to capture not only usernames and passwords but also the time-sensitive codes generated for multi-factor authentication, effectively neutralizing a key security layer.
The Significance of the Threat
The emergence of tools like Starkiller represents a significant escalation in the phishing landscape. Multi-factor authentication has long been a recommended and highly effective defense against account takeover. By automating the process of bypassing MFA, such platforms lower the technical barrier for less skilled attackers, potentially leading to a wider surge in successful account compromises.
Security experts note that because the proxy serves the actual, live website to the victim, the phishing page often contains legitimate logos, formatting, and even functional links, making it exceptionally difficult for users to distinguish from the real site. The attack is effective even against app-based authenticators and hardware security keys in certain configurations.
Mitigation and Recommended Defenses
Organizations and individuals are advised to enhance their vigilance. Security awareness training should now include warnings about these advanced proxy-based phishing attacks, often called “real-time phishing” or “adversary-in-the-middle” attacks. Users should be trained to carefully check the URL in the browser’s address bar, even when a site looks authentic.
For enterprises, implementing phishing-resistant forms of MFA, such as FIDO2/WebAuthn security keys, is considered the strongest countermeasure. These protocols are designed to be resilient against proxy-based interception. Additionally, network-level defenses and email security solutions that can detect and block phishing links remain critical components of a layered security strategy.
Ongoing Investigations and Future Outlook
Security firms are actively monitoring the Starkiller platform and the activities of the Jinkusu group. Indicators of compromise associated with their infrastructure are being shared within the cybersecurity community to aid in detection. Law enforcement agencies in multiple jurisdictions are likely tracking the group’s operations, though no public statements have been made regarding arrests.
Researchers anticipate that the techniques pioneered by Starkiller will be copied and integrated into other phishing-as-a-service offerings in the coming months. This trend underscores the continuous arms race between cyber defenders and criminal actors, where defensive advancements like MFA are met with increasingly sophisticated offensive tools designed to negate them.
Source: Multiple cybersecurity research publications
