Starkiller Phishing Service Proxies Real Login Pages and MFA Codes
Starkiller is a new phishing service that proxies authentic login pages in real time to capture credentials and MFA codes, evading traditional takedown methods.
Most phishing sites are static fakes that get taken down quickly, but a new phishing-as-a-service platform called Starkiller takes a different approach. It uses disguised links to load the genuine login page of the target brand and then acts as a man-in-the-middle relay, quietly forwarding the victim's username, password, and multi-factor authentication codes to the real site while returning its responses. This makes the attack far stealthier and harder for anti-abuse teams to disrupt. Source: https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/
SENTINEL: Everyday people are about to find it much harder to trust any login screen they see, even on sites they use all the time, because these attacks can mirror the real thing perfectly while stealing passwords and approval codes in real time. This is pushing us toward a future where simple habits like checking URLs or using MFA won't be enough on their own.
Sources (1)
- [1]‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA(https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/)