Sorry, no Hardening macOS this week. I actually wanted to, but my attention was caught on something else, somehow more urgent. Originally I wanted to limit this blog to Apple and BSD-related contents, but this attack deserves all my attention for a simple reason: IT IS BEAUTIFUL *As much as I despise cybercriminals, I think that these mofos are really what pushes the Internet forward. And when an attack is well crafted, chapeau! , let’s admit it! Don’t worry, Hardening (and also Reversing 101) will come back next week! Introduction This week, Dark Reading reported on a phishing-as-a-service platform called Starkiller , disclosed by researchers at Abnormal AI . Krebs picked it up too . If you haven’t read the article, go read it. I’ll wait. Done? Good. Now let me tell you why this thing kept me up past my usual 3:30 AM. If you haven’t, fear not - I’ll fill you in. The new kid in town is actually a new generation of phishing-as-a-service (PaaS) platforms. This new kid has radically changed the phishing threat model (finally, I’d say. It was sooo 90ish using “Employee security training” as the panacea for everything… but they won’t learn): these platforms do not create fake login pages - they actually proxy the real ones in real time. Aim’s capturing credentials, MFA tokens, session cookies - the whole landscape of boring things. What makes this different is the flow: the user authenticates for real, and credentials are stolen in transit, contextually, as the session happens. Traditional defences such as domain blacklisting, static page analysis, and obviously MFA pathetically fail to AitM (which, by the way, means Adversary in the Middle. Because the Man in the Middle was not an adversary, clearly…). Let’s not panic, anyway. We know there’s no perfect defence… but there’s no perfect attack either. Technical Analysis The old-phashioned phishing The usual way to mount a phishing attack was kind of boring: the attacker created a static HTML page, a clone of the actual login page. The user then enters credentials, which are captured. Later on, the credentials get replayed. It goes without saying that here MFA constitutes a great defence. These cloned pages go stale quickly, look imperfect, and are easily fingerprinted by security vendors. The New Way The attacker runs a reverse proxy , often a headless Chrome instance in a docker container. This reverse proxy: loads the actual login page from the legitimate service serves the page to the victim - although through the attacker infrastructure intercepts everything while in transit : keystrokes MFA codes session cookies this easily leads to obtaining an authenticated session, not distinguishable from the real user’s The victims : they see the real website, with real content, real functionalities, and real MFA prompts. Everything is real, because everything is real. It’s just taking a detour through someone else’s server. The only anomaly being the URI - and modern kits easily disguise the URIs! So, dear “Solve everything with MFA”-consultant, now it’s time you find another mantra. But let me explain you why your old mantra is not enough anymore. MFA does not protect against session hijacking through a real-time proxy . The user completes the MFA challenge legitimately. The token is valid. The session is real. The attacker just happens to be forwarding everything through their own pipe. The question is not “was MFA completed?” The question is: does the authenticated session behave like the legitimate user? Key capabilities of Starkiller Capability Impact Real-time page proxying via headless Chrome No static templates to fingerprint Session token & cookie theft MFA bypass without breaking MFA Live session monitoring Attacker watches victim interact in real-time Keystroke logging Captures everything, not just form submissions URL masking (@ trick, URL shorteners) Disguises malicious links Automated Telegram alerts Instant notification on credential capture Campaign analytics dashboard Conversion tracking, geo-targeting Subscription model with updates Continuously evolving, harder to detect Who’s Behind It Starkiller is one of several services offered by a threat group called Jinkusu . It’s sold as a subscription service with community support, feature requests, and regular updates — mirroring legitimate SaaS business models. A subscription service. With a dashboard. With campaign analytics. With customer support on Telegram . If this wasn’t scary, it would have been ph-ashinating . Why Traditional Defences Fail Defence Why It Fails Against AitM Domain blocklisting New domains spun up per campaign; domains are burned and replaced Static page analysis No static page exists — content is proxied live URL reputation filtering URL shorteners and the @ trick bypass reputation checks MFA (TOTP, SMS, push) The user completes real MFA; the token is intercepted in transit Email gateway scanning Phishing links point to infrastructure that serves benign content to scanners Security...