Microsoft, Google, Apple logins targeted by phishing kit using real websites

A newly identified phishing platform called Starkiller uses legitimate websites in real time to capture credentials and bypass multifactor authentication.

What happened

A phishing platform known as Starkiller enables cybercriminals to steal login credentials by loading legitimate websites rather than fake copies. According to Cybernews, researchers discovered that the kit operates as a subscription-based service run by a group calling itself Jinkusu and is designed to proxy live login pages for brands including Microsoft, Google, Apple, Facebook, Amazon, Netflix and PayPal. Rather than replicating sign-in pages, the platform sits between the victim and the real service, capturing authentication data as it passes through. The kit is marketed as a credential harvesting platform that bypasses multifactor authentication and supports operators through a community forum where tactics and troubleshooting are shared.

Going deeper

Starkiller functions as a man-in-the-middle proxy. In a man-in-the-middle attack, an attacker secretly intercepts communication between a user and a legitimate service. The platform launches a headless Chrome instance, meaning a browser that runs without a visible interface, inside a Docker container, which is an isolated application environment. It loads the legitimate website in real time and forwards authentication attempts to the genuine service while capturing credentials and session tokens. Because users are interacting with the real site through the proxy, one-time passcodes and authentication tokens are transmitted directly to attackers. The kit also includes URL masking techniques that display trusted brand names before the at symbol in a web address, while the actual malicious domain appears afterward, making detection more difficult. An operator dashboard allows attackers to monitor sessions live, view device and location data, inject additional prompts, or terminate sessions without the victim’s awareness.

What was said

Researchers described the kit as one that “proxies live login pages, bypasses MFA, and provides cybercriminals with a full credential-harvesting platform for a monthly fee,” according to Cybernews. The researchers also warned, “Recipients are served genuine page content directly through the attacker's infrastructure, ensuring the phishing page is never out of date.” They added that “because the end user is actually authenticating with the real site through the proxy, any one-time codes or authentication tokens they submit are forwarded to the legitimate service in real time.” The researchers further stated that the emergence of platforms like Starkiller indicates a step toward “commoditized, enterprise-style cybercrime tooling.”

In the know

Adversary in the Middle (AiTM) phishing is an advanced attack method in which cybercriminals secretly place themselves between a user and a legitimate website to capture login credentials and active session data in real time. According to Microsoft, these attacks can bypass multifactor authentication (MFA) by using reverse proxy technology, which allows the attacker’s site to relay communication between the victim and the real service while silently recording authentication information. Reporting from The Hacker News explains that victims are tricked into signing in through a fake login page controlled by the attacker that looks identical to the real site, enabling attackers to intercept usernames, passwords, and authenticated sessions without alerting the user.

The big picture

The Verizon Data Breach Investigations Report identified credential theft through phishing as a leading breach entry point for more than a decade. Verizon reports that 79% of web application breaches stem from stolen credentials. Together, the data suggests attackers are prioritizing identity-based access over traditional malware, reinforcing why advanced phishing toolkits remain a profitable and persistent threat vector.

FAQs

How does a man-in-the-middle phishing kit bypass multifactor authentication?

The kit intercepts login attempts in real time, forwarding one-time codes and session tokens to the legitimate service while capturing them for attacker use, effectively allowing the attacker to authenticate as the victim.

Why is using real websites more convincing than traditional phishing pages?

Victims see genuine page content rendered directly from the legitimate site, reducing visual inconsistencies or outdated branding that often signal phishing attempts.

What is a headless Chrome instance in this context?

It is a browser that runs without a visible interface, allowing attackers to automate website loading and proxying inside controlled server environments.

Why is Starkiller described as commoditized cybercrime tooling?

The kit is sold as a subscription service, supported through community forums, and updated like commercial software, lowering the barrier for less technical operators to launch credential theft campaigns.

How can organizations defend against this type of phishing?

Defenses should include monitoring for anomalous login behavior, detecting session token reuse from unexpected locations, enforcing strong conditional access policies, and analyzing authentication context rather than relying solely on domain reputation or page appearance.