Greg Scallan Feb 23
BrianKrebs

A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses.

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

#phishing #MFA #starkiller

Feb 23 at 1:10pmWeb
Show threadmilagemayvaryFeb 23

@briankrebs

That's nasty.

I don't like it.

I used to ironically say the internet was a mistake, but some days lately my thoughts have shifted.

I feel like my browser at a minimum needs a behavior shift: if any @ is in the address bar, maybe the browser gives a warning & gives you a chance to look over the address before continuing.

Uhg, tummy ache activated.

Show threadSueDiOhFeb 23
@briankrebs I think I just ran into this tactic: I clicked on an MSNow story on youtube and it took me to a third party site that flat-out said "you're giving us your info" so I backed out quickly. The company name was something like 'vesuvis' or similar.
Show threadLisaHFeb 23
@briankrebs We need the list of sites identified as already being compromised with this
Show threadSlightlyCyberpunkFeb 23
@3x10to8mps @briankrebs No website is compromised, only impersonated. And a list of sites that have been impersonated so far would be useless because the entire point is that it could be any site.
Show threadLisaHFeb 24

@admin @briankrebs I would call impersonated seriously compromised. If you can't tell if a website has this filter that is skimming your information then you basically cannot trust any website

Am I missing something here?

Show threadSlightlyCyberpunkFeb 24

@3x10to8mps @briankrebs I think "compromised" generally implies that someone has gotten access to the servers or other internal systems, but that's not what this is. Which is part of the problem. A list of affected websites won't do you any good because they could have a dozen new fakes set up the next day. That scale is the only thing that is new here.

You *can* tell the difference if you examine the URL carefully and if you know what to look for. They just have tricks to make it look right at a glance. Like using that "@" symbol -- that's not used much these days so a lot of folks won't be familiar with it, but the site you are actually visiting is whatever comes after it. Whatever is before the @ is a username it is sending to that website.

Show threadLisaHFeb 26
@admin @briankrebs That makes sense. Thanks!
Show threadlj·rkFeb 23
@briankrebs The term "MFA" is just useless as a metric for the security of a system. Just like 3DES, putting multiple broken auth mechanisms behind each other may work as a stop-gap measure but doesn't address the problem at its core.
Show threadgh0sti Feb 23
@briankrebs would hosting our own dns like pihole defend against this?
Show threadSlightlyCyberpunkFeb 23
@gh0sti @briankrebs Pretty sure the defense would need to be in the browser. You could block whatever domain the hackers are using in your DNS but they could easily switch to a new one at any time.
Show threadEloy.Feb 23

@briankrebs Huh, fascinating, I'm finding StackOverflow comments from 2014 that HTTP Basic Auth credentials in the URL will throw phising warnings in Safari... There was apparently some back and forth ongoing with the removal of this feature in multiple browsers

https://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters

I'm still a regular user of this feature, I hope it does not get removed.

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

I believe this is not possible, but someone I know insisted that it works. I don't even know what parameters to try, and I haven't found this documented anywhere. I tried http://myserver.com/~user=

Server Fault
Show threadHaelwenn /элвэн/ Feb 23
@eloy @briankrebs Well I guess they could throw their typical scary-shit warning page like they do with TLS.