BrianKrebsFeb 23

A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses.

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

#phishing #MFA #starkiller

Show threadLisaH
@briankrebs We need the list of sites identified as already being compromised with this
Feb 23 at 2:06pmFeditext
Show threadSlightlyCyberpunkFeb 23
@3x10to8mps @briankrebs No website is compromised, only impersonated. And a list of sites that have been impersonated so far would be useless because the entire point is that it could be any site.
Show threadLisaHFeb 24

@admin @briankrebs I would call impersonated seriously compromised. If you can't tell if a website has this filter that is skimming your information then you basically cannot trust any website

Am I missing something here?

Show threadSlightlyCyberpunkFeb 24

@3x10to8mps @briankrebs I think "compromised" generally implies that someone has gotten access to the servers or other internal systems, but that's not what this is. Which is part of the problem. A list of affected websites won't do you any good because they could have a dozen new fakes set up the next day. That scale is the only thing that is new here.

You *can* tell the difference if you examine the URL carefully and if you know what to look for. They just have tricks to make it look right at a glance. Like using that "@" symbol -- that's not used much these days so a lot of folks won't be familiar with it, but the site you are actually visiting is whatever comes after it. Whatever is before the @ is a username it is sending to that website.

Show threadLisaHFeb 26
@admin @briankrebs That makes sense. Thanks!