"It launches a headless Chrome instance - a browser that operates without a visible window - inside a Docker container, loads the brand's real website, and acts as a reverse proxy between the target and the legitimate site. Recipients are served genuine page content directly through the attacker's infrastructure, ensuring the phishing page is never out of date."
"Put differently, the container acts as an AitM reverse proxy, forwarding the end user's inputs entered on the spoofed live page to the legitimate site and returning the site's responses. Under the hood, every keystroke, form submission, and session token is routed through attacker-controlled infrastructure and is captured for account takeover."
"The platform streamlines phishing operations by centralizing infrastructure management, phishing page deployment, and session monitoring within a single control panel. Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack."
Starkiller is a cybercrime platform operated by the Jinkusu threat group that enables phishing attacks by proxying legitimate login pages through attacker-controlled infrastructure. The platform uses headless Chrome instances in Docker containers to act as reverse proxies, serving genuine page content while capturing all user inputs, keystrokes, and session tokens. This technique bypasses MFA protections and eliminates the need for attackers to maintain updated phishing templates. The platform provides a centralized dashboard for selecting target brands, customizing keywords, and integrating URL shorteners to obscure malicious links. By routing all traffic through attacker infrastructure, Starkiller enables session hijacking and account takeover while remaining difficult for security vendors to detect or blocklist.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]