I told you in our last piece about a commercially sold phishing-as-a-service framework called Starkiller. But we didn’t really get into what it does and how to understand the threat it poses.

Let’s do that now.

Developed by a threat group called Jinkusu, Starkiller doesn’t just exploit static HTML clones of legitimate log-in pages like most phishing platforms do. It actually creates a scenario in which you are logging into the real, intended log-in page – but it intercepts your log-in information in real time, before it even gets to the legitimate service.

This platform is sold commercially to hackers, and it comes with a pretty fancy operator dashboard that allows them to observe in real time as you’re entering all the information they’re going to steal from you. It comes with keylogger capture, cookie and session token theft, geo-tracking and automated alerts when they’ve taken possession of your credentials.

What if the hacker is specifically interested in a certain type of attack, such as credit card capture or crypto wallet seed theft? Starkiller comes with helpful modules to make that quick and simple for its hacker customers.

Worst of all for intended victims, Starkiller effectively neutralizes multifactor authentication, because the victim is going through that entire process – only to have the information captured by the attacker and subsequently harvested for the purpose of taking over your account.

And the primary methods of most security tools – static page fingerprinting and domain blocklisting – are worthless against Starkiller because there are no template files to fingerprint, and the page content remains current at all times.

And perhaps most infuriating, the hackers don’t have to have any substantial technical knowledge to use it. It’s user-friendly in all the worst ways.

So what can you do?

For starters, this is why mere multifactor authentication is not enough. You need to make sure you’re deploying phishing-resistant multifactor authentication, including FIDO2/passkeys and hardware security keys.

On the behavioral side, you need to implement Conditional Access and Zero Trust policies that flag behaviors such as token reuse from unexpected geolocations or new device fingerprints.

It still makes a big difference to teach your people to carefully inspect URLs before clicking anything – and to be very suspicious of shortened URLs. Don’t just assume those are going to take you where the email sender suggests they will take you.

Your team should be looking for indicators that something’s not right post-authentication, such as rapid privilege escalation, unexpected mailbox rule creation or OAuth application consent grants.

I realize that last paragraph gets into some technical stuff, and we’d be happy to help you work it all out. Email me at dacarey@cybersynergies.io or call 616.600.4180.

Starkiller is making it way too easy for hackers to attack you. So you have to double down on the steps you can control to make it harder for them. These are the best ways to do it.