News

This week in scams, we’re looking at three very different stories with the same underlying theme: trust is being exploited at scale. 

A massive government contractor data breach has quietly grown to affect more than 25 million people. Meanwhile, a viral AI-generated image of Mary-Kate and Ashley Olsen posing in a fake luxury campaign is spreading across social media, fooling some users and alarming others. 

And in a new threat report, OpenAI detailed how its own tools are being misused for dating scams, impersonation, and influence operations. 

Let’s break it down. 

The Conduent Data Breach Now Impacts 25+ Million People 

The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to expand. 

According to reporting from TechCrunch, updated state-level breach notifications now indicate that more than 25 million people across the U.S. have had personal data exposed. 

Conduent provides services tied to state benefit programs, including food assistance, unemployment systems, and other government payment processing operations. The company has said its services reach over 100 million people. 

Data reportedly exposed in the breach includes: 

• Names 
• Dates of birth 
• Addresses 
• Social Security numbers 
• Health insurance and medical information 

TechCrunch noted that the majority of affected individuals appear to be in Oregon and Texas, based on state breach disclosures. Other states have also reported an impact. 

The attack has been described as one of the largest government-contractor-related data breaches in recent memory. 

Why this matters: When companies that process government benefits are hit, the exposed data often includes highly sensitive identity information. Social Security numbers combined with medical or insurance details can significantly increase the risk of identity theft and fraud. 

How to Protect Yourself After a Major Data Breach 

If you believe your data may have been exposed: 

• Monitor your credit reports for unfamiliar activity 
• Consider placing a free credit freeze 
• Be wary of phishing emails or texts referencing benefits or account verification 
• Never share personal information in response to unexpected outreach 

Breaches like this often lead to secondary scams months later. The breach itself is only phase one. Phishing campaigns usually follow. 

That Viral Olsen Twins “Louis Vuitton” Image? It’s AI. 

A supposed luxury campaign featuring Mary-Kate and Ashley Olsen began circulating widely on X and Facebook this week, racking up millions of views. 

The images show the twins styled in what appears to be a high-end fashion shoot, drawing numerous comments over their styling. But social media users quickly pointed out visual irregularities and inconsistencies commonly associated with AI-generated imagery. 

A screenshot of one of the AI images making thr rounds across social media.

While this doesn’t fall into our typical “scam” roundup, the normalization of AI-generated visuals that look close enough to real to confuse people are a growing issue that can lead to real confusion and distrust. 

We have entered a phase where: 

• Fake ads look legitimate 
• Public figures appear in campaigns they never participated in 
• Synthetic images spread faster than corrections 

Today it’s a fashion ad. Tomorrow it could be a fake political endorsement, financial announcement, or emergency alert. 

The takeaway: If you see a surprising campaign or announcement, verify it through official brand websites or verified accounts before assuming it’s real. 

OpenAI Details How ChatGPT Is Being Misused

In a newly released threat report, OpenAI outlined several ways its tools have been abused by bad actors. 

According to Reuters’ reporting: 

A cluster of accounts used ChatGPT to run a dating scam targeting Indonesian men, allegedly defrauding hundreds of victims per month. 

Some accounts used the tool to generate promotional copy and ads for a fake dating platform that pressured users into completing costly “tasks.”

Other accounts posed as law firms, impersonating real attorneys and U.S. law enforcement to target fraud victims.

OpenAI also banned accounts linked to activity believed to be part of influence operations, including efforts targeting Japanese political figures. 

OpenAI stated that the activity was detected and accounts were removed. 

Why this matters: AI tools themselves are not inherently scams. But they dramatically lower the cost and increase the scale of fraud operations. Writing persuasive emails, generating fake legal letters, building scam ads… these now require fewer technical skills than ever before. 

The technology doesn’t create the criminal intent. It just accelerates it. 

McAfee’s Safety Tips This Week 

1. Assume viral images could be AI-generated until verified 
2. Verify unexpected announcements through official websites 
3. Treat post-breach emails as suspicious by default 
4. Be skeptical of online “consultation” invites that promise payment 
5. Never send money to someone you’ve only met online 

We’ll Be Back Next Week 

From ransomware breaches to AI-generated impersonations, the pattern is clear: scammers are scaling trust manipulation with technology. 

Stay skeptical. Verify before you click. And we’ll be back next week with another breakdown of what’s making headlines, and what it actually means for your security. 

For more reading on AI deepfakes and breaches: 

Taylor Swift Tops List of Most Deepfaked Celebs

What to Do If You’re Caught Up in a Data Breach

Everything You Need to Know to Keep Your Passwords Secure

The post This Week in Scams: Conduent Data Breach and AI Olsen Twins appeared first on McAfee Blog.

Peru has increased its squid catch limit. The article says “giant squid,” but they can’t possibly mean that.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

Iran is slowly emerging from the most severe communications blackout in its history and one of the longest in the world. Triggered as part of January’s government crackdown against citizen protests nationwide, the regime implemented an internet shutdown that transcends the standard definition of internet censorship. This was not merely blocking social media or foreign websites; it was a total communications shutdown.

Unlike previous Iranian internet shutdowns where Iran’s domestic intranet—the National Information Network (NIN)—remained functional to keep the banking and administrative sectors running, the 2026 blackout disrupted local infrastructure as well. Mobile networks, text messaging services, and landlines were disabled—even Starlink was blocked. And when a few domestic services became available, the state surgically removed social features, such as comment sections on news sites and chat boxes in online marketplaces. The objective seems clear. The Iranian government aimed to atomize the population, preventing not just the flow of information out of the country but the coordination of any activity within it.

This escalation marks a strategic shift from the shutdown observed during the “12-Day War” with Israel in mid-2025. Then, the government primarily blocked particular types of traffic while leaving the underlying internet remaining available. The regime’s actions this year entailed a more brute-force approach to internet censorship, where both the physical and logical layers of connectivity were dismantled.

The ability to disconnect a population is a feature of modern authoritarian network design. When a government treats connectivity as a faucet it can turn off at will, it asserts that the right to speak, assemble, and access information is revocable. The human right to the internet is not just about bandwidth; it is about the right to exist within the modern public square. Iran’s actions deny its citizens this existence, reducing them to subjects who can be silenced—and authoritarian governments elsewhere are taking note.

The current blackout is not an isolated panic reaction but a stress test for a long-term strategy, say advocacy groups—a two-tiered or “class-based” internet known as Internet-e-Tabaqati. Iran’s Supreme Council of Cyberspace, the country’s highest internet policy body, has been laying the legal and technical groundwork for this since 2009.

In July 2025, the council passed a regulation formally institutionalizing a two-tiered hierarchy. Under this system, access to the global internet is no longer a default for citizens, but instead a privilege granted based on loyalty and professional necessity. The implementation includes such things as “white SIM cards“: special mobile lines issued to government officials, security forces, and approved journalists that bypass the state’s filtering apparatus entirely.

While ordinary Iranians are forced to navigate a maze of unstable VPNs and blocked ports, holders of white SIMs enjoy unrestricted access to Instagram, Telegram, and WhatsApp. This tiered access is further enforced through whitelisting at the data center level, creating a digital apartheid where connectivity is a reward for compliance. The regime’s goal is to make the cost of a general shutdown manageable by ensuring that the state and its loyalists remain connected while plunging the public into darkness. (In the latest shutdown, for instance, white SIM holders regained connectivity earlier than the general population.)

The technical architecture of Iran’s shutdown reveals its primary purpose: social control through isolation. Over the years, the regime has learned that simple censorship—blocking specific URLs—is insufficient against a tech-savvy population armed with circumvention tools. The answer instead has been to build a “sovereign” network structure that allows for granular control.

By disabling local communication channels, the state prevents the “swarm” dynamics of modern unrest, where small protests coalesce into large movements through real-time coordination. In this way, the shutdown breaks the psychological momentum of the protests. The blocking of chat functions in nonpolitical apps (like ridesharing or shopping platforms) illustrates the regime’s paranoia: Any channel that allows two people to exchange text is seen as a threat.

The United Nations and various international bodies have increasingly recognized internet access as an enabler of other fundamental human rights. In the context of Iran, the internet is the only independent witness to history. By severing it, the regime creates a zone of impunity where atrocities can be committed without immediate consequence.

Iran’s digital repression model is distinct from, and in some ways more dangerous than, China’s “Great Firewall.” China built its digital ecosystem from the ground up with sovereignty in mind, creating domestic alternatives like WeChat and Weibo that it fully controls. Iran, by contrast, is building its controls on top of the standard global internet infrastructure.

Unlike China’s censorship regime, Iran’s overlay model is highly exportable. It demonstrates to other authoritarian regimes that they can still achieve high levels of control by retrofitting their existing networks. We are already seeing signs of “authoritarian learning,” where techniques tested in Tehran are being studied by regimes in unstable democracies and dictatorships alike. The most recent shutdown in Afghanistan, for example, was more sophisticated than previous ones. If Iran succeeds in normalizing tiered access to the internet, we can expect to see similar white SIM policies and tiered access models proliferate globally.

The international community must move beyond condemnation and treat connectivity as a humanitarian imperative. A coalition of civil society organizations has already launched a campaign calling for “direct-to-cell” (D2C) satellite connectivity. Unlike traditional satellite internet, which requires conspicuous and expensive dishes such as Starlink terminals, D2C technology connects directly to standard smartphones and is much more resilient to infrastructure shutdowns. The technology works; all it requires is implementation.

This is a technological measure, but it has a strong policy component as well. Regulators should require satellite providers to include humanitarian access protocols in their licensing, ensuring that services can be activated for civilians in designated crisis zones. Governments, particularly the United States, should ensure that technology sanctions do not inadvertently block the hardware and software needed to circumvent censorship. General licenses should be expanded to cover satellite connectivity explicitly. And funding should be directed toward technologies that are harder to whitelist or block, such as mesh networks and D2C solutions that bypass the choke points of state-controlled ISPs.

Deliberate internet shutdowns are commonplace throughout the world. The 2026 shutdown in Iran is a glimpse into a fractured internet. If we are to end countries’ ability to limit access to the rest of the world for their populations, we need to build resolute architectures. They don’t solve the problem, but they do give people in repressive countries a fighting chance.

This essay originally appeared in Foreign Policy.

This is new. North Korean hackers are posing as company recruiters, enticing job candidates to participate in coding challenges. When they run the code they are supposed to work on, it installs malware on their system.

News article.

X (formerly Twitter) hacks tend to hit fast. 

One minute you’re scrolling like normal. The next, your account is posting crypto promotions, sending spam DMs, or following hundreds of random accounts you’ve never heard of. Sometimes you don’t even notice until a friend asks why you’re suddenly “giving away” gift cards. 

If you use X for work, your personal brand, or your business, a takeover can do real damage quickly. And in many cases, the hacker isn’t just trying to cause chaos, they’re trying to use your account to scam your followers while you still look trustworthy. 

This guide walks you through exactly what to do if your X account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again. 

If you’re still locked out after trying these steps, X also offers an official support form for hacked or compromised accounts. 

Signs Your X Account May Be Compromised 

X account takeovers don’t always start with a full lockout. Often, the first signs are strange activity you didn’t authorize. 

Watch for these red flags: 

Unexpected posts: Tweets you didn’t write, especially spam, crypto links, or promotions. 

Unusual DMs: Messages sent from your account that you don’t remember sending. 

Account behavior changes: Random follows, unfollows, blocks, or profile changes you didn’t approve. 

Security notifications: Alerts from X that your account may be compromised. 

Account info changed: Notifications that your email, phone number, or password was updated without your permission. 

Password suddenly stops working: You’re prompted to reset your password even though you didn’t request it. 

If any of these are happening, assume your account is compromised and start recovery steps immediately. 

What to Change Immediately If Your X Account Was Hacked 

If your X account was hacked, assume your login details may have been stolen. 

That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use. 

Here’s what to change right away: 

• Change your X password 
• Change the password for the email account connected to X 
• Turn on two-factor authentication (2FA) 
• Confirm your email address and phone number are correct 
• Revoke access for any suspicious third-party apps 
• Review X Pro / Teams access (if you use it) and remove unfamiliar users 
• Update any other accounts that share the same password 
• Delete unauthorized posts and DMs (once you regain control) 

If you suspect the hack started through malware or phishing, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account. 

Using a password manager like McAfee’s can help you create strong, unique passwords for every account, and store them securely in one place. 

Step-by-Step: How to Recover a Hacked X Account 

X offers different recovery options depending on whether you can still log in. 

Step	What to Do	Why It Matters
1. Change your password immediately (if you can still log in)	Go into your X account settings and update your password to something strong and unique.	This is the fastest way to cut off unauthorized access.
2. Reset your password if you’re locked out	Use the “Forgot password” option on the login screen to start account recovery.	This can help you regain access even if the hacker changed your password.
3. Secure your email account	Change your email password and enable 2FA. Make sure only you can access it.	If your email is compromised, the hacker can keep resetting your X account.
4. Reverse suspicious email changes if possible	If you receive an email about an account email change, check for an option to undo it.	This may allow you to regain control before the hacker fully locks you out.
5. Revoke third-party app access	While logged in, review connected apps and remove anything you don’t recognize.	Some takeovers happen through malicious apps, not direct password guessing.
6. Revoke mobile app sessions if needed	If suspicious activity continues, revoke access for X mobile apps from your settings so they’re forced to re-authenticate.	X notes that password changes may not automatically log out mobile sessions.
7. Update your password anywhere it’s saved	If you use trusted apps or services that store your X password, update it there too.	Repeated failed login attempts can temporarily lock your account.
8. Turn on 2FA	Enable two-factor authentication as soon as you regain control.	This adds a strong layer of protection even if your password gets stolen again.
9. Contact X support if you still can’t regain access	Submit X’s hacked/compromised account request form. Include your username and the last date you had access.	If self-recovery fails, support may be able to help restore access.

If you’re still unable to log in after attempting recovery, visit X’s official hacked account support form for next steps. 

Watch for Phishing “X Support” Scams 

One of the most common ways X accounts get hacked is through phishing. 

Scammers impersonate: 

• X support 
• “verified account” teams 
• copyright warnings 
• fake sponsorship offers 
• fake security alerts claiming your account will be suspended 

They try to pressure you into clicking a link and logging in on a fake page designed to steal your password. 

If you receive a suspicious email or DM, don’t click. 

Instead, open X directly in the app or browser and check your account settings from there. 

Final Tips: Recovering From an X Hack 

A hacked X account can spread scams quickly, especially if the attacker uses your account to message followers directly. 

The most important steps are: 

• Act quickly 
• Change your password immediately 
• Secure the email account connected to X 
• Revoke suspicious third-party app access 
• Review X Pro / Teams access if applicable 
• Enable two-factor authentication (2FA) 
• Delete unauthorized posts once you regain control 
• Scan your device for malware 

McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place. 

And if you’re still locked out or something doesn’t look right, use X’s official support request form to report the account as hacked or compromised. 

Frequently Asked Questions 

Q: How do I know if my X account was hacked? A: Common signs include posts or DMs you didn’t send, unusual follows/unfollows, account changes you didn’t authorize, security alerts from X, or a password that suddenly stops working.

Q: If I change my password, will the hacker be logged out? A: Changing your password is critical, but some mobile sessions may remain active. X recommends revoking app access in your settings if suspicious activity continues.

Q: What should I do if my email address was changed? A: Check your inbox for an email from X about the change. In some cases, you may be able to reverse it using the security link. If you can’t, start account recovery immediately and submit a support request if needed.

Q: Should I remove third-party apps after a hack? A: Yes. X notes that malicious or untrusted third-party apps can compromise your account. Remove anything you don’t recognize or no longer use.

Q: What if I still can’t log in after resetting my password? A: Submit a hacked account support request through X’s official form. Be sure to include your username and the last date you had access.

Q: What’s the biggest mistake people make after their X account gets hacked? A: Only changing their password. If the attacker still has access through connected apps, a compromised email account, or saved sessions, they can regain control quickly.

 

The post X (Twitter) Account Hacked: What to Do Right Now appeared first on McAfee Blog.

LLMs are bad at generating passwords:

There are strong noticeable patterns among these 50 passwords that can be seen easily:

• All of the passwords start with a letter, usually uppercase G, almost always followed by the digit 7.
• Character choices are highly uneven ­ for example, L , 9, m, 2, $ and # appeared in all 50 passwords, but 5 and @ only appeared in one password each, and most of the letters in the alphabet never appeared at all.
• There are no repeating characters within any password. Probabilistically, this would be very unlikely if the passwords were truly random ­ but Claude preferred to avoid repeating characters, possibly because it “looks like it’s less random”.
• Claude avoided the symbol *. This could be because Claude’s output format is Markdown, where * has a special meaning.
• Even entire passwords repeat: In the above 50 attempts, there are actually only 30 unique passwords. The most common password was G7$kL9#mQ2&xP4!w, which repeated 18 times, giving this specific password a 36% probability in our test set; far higher than the expected probability 2-100 if this were truly a 100-bit password.

This result is not surprising. Password generation seems precisely the thing that LLMs shouldn’t be good at. But if AI agents are doing things autonomously, they will be creating accounts. So this is a problem.

Actually, the whole process of authenticating an autonomous agent has all sorts of deep problems.

News article.

Slashdot story

All it takes to poison AI training data is to create a website:

I spent 20 minutes writing an article on my personal website titled “The best tech journalists at eating hot dogs.” Every word is a lie. I claimed (without evidence) that competitive hot-dog-eating is a popular hobby among tech reporters and based my ranking on the 2026 South Dakota International Hot Dog Championship (which doesn’t exist). I ranked myself number one, obviously. Then I listed a few fake reporters and real journalists who gave me permission….

Less than 24 hours later, the world’s leading chatbots were blabbering about my world-class hot dog skills. When I asked about the best hot-dog-eating tech journalists, Google parroted the gibberish from my website, both in the Gemini app and AI Overviews, the AI responses at the top of Google Search. ChatGPT did the same thing, though Claude, a chatbot made by the company Anthropic, wasn’t fooled.

Sometimes, the chatbots noted this might be a joke. I updated my article to say “this is not satire.” For a while after, the AIs seemed to take it more seriously.

These things are not trustworthy, and yet they are going to be widely trusted.

Politicians fixate on the global race for technological supremacy between US and China. They debate geopolitical implications of chip exports, latest model releases from each country, and military applications of AI. Someday, they believe, we might see advancements in AI tip the scales in a superpower conflict.

But the most important arms race of the 21st century is already happening elsewhere and, while AI is definitely the weapon of choice, combatants are distributed across dozens of domains.

Academic journals are flooded with AI-generated papers, and are turning to AI to help review submissions. Brazil’s court system started using AI to triage cases, only to face an increasing volume of cases filed with AI help. Open source software developers are being overwhelmed with code contributions from bots. Newspapers, music, social media, education, investigative journalism, hiring, and procurement are all being disrupted by a massive expansion of AI use.

Each of these is an arms race. Adversaries within a system iteratively seeking an edge against their competition by continuously expanding their use of a common technology.

Beneficiaries of these arms races are US mega-corporations capturing wealth from the rest of us at an unprecedented rate. A substantial fraction of global economy has reoriented around AI in just the past few years, and that trend is accelerating. In parallel, this industry’s lobbying interests are quickly becoming the object, rather than the subject, of US government power.

To understand these arms races, let’s look at an example of particular interest to democracies worldwide: how AI is changing the relationship between democratic government and citizens. Interactions that used to happen between people and elected representatives are expanding to a massive scale, with AIs taking the roles that humans once did.

In a notorious example from 2017, US Federal Communications Commission opened a comment platform on the web to get public input on internet regulation. It was quickly flooded with millions of comments fraudulently orchestrated by broadband providers to oppose FCC regulation of their industry. From the other side, a 19-yearold college student responded by submitting millions of comments of his own supporting the regulation. Both sides were using software primitive by the standards of today’s AI.

Nearly a decade later, it is getting harder for citizens to tell when they’re talking to a government bot, or when an online conversation about public policy is just bots talking to bots. When constituents leverage AI to communicate better, faster, and more, it pressures government officials to do the same.

This may sound futuristic, but it’s become a familiar reality in US. Staff in US Congress are using AI to make their constituent email correspondence more efficient. Politicians campaigning for office are adopting AI tools to automate fundraising and voter outreach. By one 2025 estimate, a fifth of public submissions to the Consumer Financial Protection Bureau were already being generated with AI assistance.

People and organizations are adopting AI here because it solves a real problem that has made mass advocacy campaigns ineffective in the past: quantity has been inversely proportional to both quality and relevance. It’s easy for government agencies to dismiss general comments in favour of more specific and actionable ones. That makes it hard for regular people to make their voices heard. Most of us don’t have the time to learn the specifics or to express ourselves in this kind of detail. AI makes that contextualization and personalization easy. And as the volume and length of constituent comments grow, agencies turn to AI to facilitate review and response.

That’s the arms race. People are using AI to submit comments, which requires those on the receiving end to use AI to wade through the comments received. To the extent that one side does attain an advantage, it will likely be temporary. And yet, there is real harm created when one side exploits another in these adversarial systems. Constituents of democracies lose out if their public servants use AI-generated responses to ignore and dismiss their voices rather than to listen to and include them. Scientific enterprise is weakened if fraudulent papers sloppily generated by AI overwhelm legitimate research.

As we write in our new book, Rewiring Democracy, the arms race dynamic is inevitable. Every actor in an adversarial system is incentivized and, in the absence of new regulation in this fast moving space, free to use new technologies to advance its own interests. Yet some of these examples are heartening. They signal that, even if you face an AI being used against you, there’s an opportunity to use the tech for your own benefit.

But, right now, it’s obvious who is benefiting most from AI. A handful of American Big Tech corps and their owners are extracting trillions of dollars from the manufacture of AI chips, development of AI data centers, and operation of so-called ‘frontier’ AI models. Regardless of which side pulls ahead in each arms race scenario, the house always wins. Corporate AI giants profit from the race dynamic itself.

As formidable as the near-monopoly positions of today’s Big Tech giants may seem, people and governments have substantial capability to fight back. Various democracies are resisting this concentration of wealth and power with tools of anti-trust regulation, protections for human rights, and public alternatives to corporate AI. All of us worried about the AI arms race and committed to preserving the interests of our communities and our democracies should think in both these terms: how to use the tech to our own advantage, and how to resist the concentration of power AI is being exploited to create.

This essay was written with Nathan E. Sanders, and originally appeared in The Times of India.

Good article on password managers that secretly have a backdoor.

New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server­—either administrative or the result of a compromise­—can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.

This is where I plug my own Password Safe. It isn’t as full-featured as the others and it doesn’t use the cloud at all, but it’s actual encryption with no recovery features.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the target and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

There are countless phishing kits that would-be scammers can use to get started, but successfully wielding them requires some modicum of skill in configuring servers, domain names, certificates, proxy services, and other repetitive tech drudgery. Enter Starkiller, a new phishing service that dynamically loads a live copy of the target login page and records everything the user types, proxying the data to the legitimate site and back to the victim.

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et. al.) and generates a deceptive URL that visually mimics the legitimate domain while routing traffic through the attacker’s infrastructure.

For example, a phishing link targeting Microsoft customers appears as “login.microsoft.com@[malicious/shortened URL here].” The “@” sign in the link trick is an oldie but goodie, because everything before the “@” in a URL is considered username data, and the real landing page is what comes after the “@” sign. Here’s what it looks like in the target’s browser:

Once Starkiller customers select the URL to be phished, the service spins up a Docker container running a headless Chrome browser instance that loads the real login page, Abnormal found.

“The container then acts as a man-in-the-middle reverse proxy, forwarding the end user’s inputs to the legitimate site and returning the site’s responses,” Abnormal researchers Callie Baron and Piotr Wojtyla wrote in a blog post on Thursday. “Every keystroke, form submission, and session token passes through attacker-controlled infrastructure and is logged along the way.”

Starkiller in effect offers cybercriminals real-time session monitoring, allowing them to live-stream the target’s screen as they interact with the phishing page, the researchers said.

“The platform also includes keylogger capture for every keystroke, cookie and session token theft for direct account takeover, geo-tracking of targets, and automated Telegram alerts when new credentials come in,” they wrote. “Campaign analytics round out the operator experience with visit counts, conversion rates, and performance graphs—the same kind of metrics dashboard a legitimate SaaS [software-as-a-service] platform would offer.”

Abnormal said the service also deftly intercepts and relays the victim’s MFA credentials, since the recipient who clicks the link is actually authenticating with the real site through a proxy, and any authentication tokens submitted are then forwarded to the legitimate service in real time.

“The attacker captures the resulting session cookies and tokens, giving them authenticated access to the account,” the researchers wrote. “When attackers relay the entire authentication flow in real time, MFA protections can be effectively neutralized despite functioning exactly as designed.”

Starkiller is just one of several cybercrime services offered by a threat group calling itself Jinkusu, which maintains an active user forum where customers can discuss techniques, request features and troubleshoot deployments. One a-la-carte feature will harvest email addresses and contact information from compromised sessions, and advises the data can be used to build target lists for follow-on phishing campaigns.

This service strikes me as a remarkable evolution in phishing, and its apparent success is likely to be copied by other enterprising cybercriminals (assuming the service performs as well as it claims). After all, phishing users this way avoids the upfront costs and constant hassles associated with juggling multiple phishing domains, and it throws a wrench in traditional phishing detection methods like domain blocklisting and static page analysis.

It also massively lowers the barrier to entry for novice cybercriminals, Abnormal researchers observed.

“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterprise-style cybercrime tooling,” their report concludes. “Combined with URL masking, session hijacking, and MFA bypass, it gives low-skill cybercriminals access to attack capabilities that were previously out of reach.”