A slick new phishing-as-a-service offering demonstrates just how easily a username+password and a one-time token can be phished. Dubbed "Starkiller," the service uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the victim and the legitimate site -- forwarding the victim's username, password and multi-factor authentication code to the legitimate site and returning its responses.

https://krebsonsecurity.com/2026/02/starkiller-phishing-service-proxies-real-login-pages-mfa/

#phishing #MFA #starkiller

When a hacker who goes by the names "Waifu" and "Judische" began posting death threats against security researcher Allison Nixon, she had no idea why he targeted her. So she set out to unmask him. The quest led her to uncover the identity of Connor Riley Moucka, a 25-yr-old Canadian who was ringleader of the infamous Snowflake/AT&T hacks as well as Cameron John Wagenius (aka Kiberphant0m
online), an active-duty US Army soldier, who both were arrested. Here's my story, as well as a free link below that.

https://www.technologyreview.com/2026/02/16/1132526/allison-nixon-hackers-security-researcher

https://archive.is/20260216131016/https://www.technologyreview.com/2026/02/16/1132526/allison-nixon-hackers-security-researcher

Hear ye, hear ye! @dykstra and I are co-guest editing an IEEE special issue on Cyber Hard Problems, and the CFP is now posted! We’d love to get your insights. Check it out:

https://www.computer.org/digital-library/magazines/sp/cfp-cyber-hard-problems

📣 Help needed! For our upcoming #RSAC talk, @boblord and I are studying cyber near misses, moments where serious harm was narrowly avoided, and what we can learn from them. These near misses might apply to software development, or to network defense. (Please boost for reach! 🙏)

We are hoping to surface general patterns using some (anonymized) examples.

If you’re willing, reply with a high-level response to one or two of these prompts. Anonymize as appropriate, and/or send to us in DMs if you prefer:

* What lesson did an organization fail to learn after a near miss, even though it seemed obvious at the time?
* Describe a time when you discovered something and thought “If we didn’t catch this now, it would have been baaaaad”.
* Describe a time when you dealt with a software vulnerability in your systems that was being actively exploited elsewhere, but (as far as you could tell), not in yours. What saved the day?
* What repeated “almost failures” do you see getting normalized or waved away as acceptable risk?
* Can you recall a near miss triggered by a third party such as a researcher report, customer question, bug bounty submission, or vendor advisory that revealed a bigger issue than expected?
* Can you think of a near miss where the most important factor was not a security control, but a human action like someone double-checking, questioning an alert, or escalating a “weird feeling”?

Thanks!

Running out of cybersecurity and privacy gift ideas? For my blog and newsletter, this week in security, I wrote about some of the cool security and privacy gifts you can give friends and family this holiday season — but also what tech to avoid altogether!

No affiliate links! Just some nerdy ideas from my heart. ❤️

More: https://this.weekinsecurity.com/last-minute-cybersecurity-and-privacy-gifts-that-your-friends-and-family-will-not-hate/

Sign up/RSS for my weekly newsletter: https://this.weekinsecurity.com