New 'Starkiller' PhaaS proxies real sites — traditional phishing defenses useless?

Just saw the Krebs writeup on 'Starkiller,' and it looks like the PhaaS (Phishing-as-a-Service) ecosystem is evolving faster than our static filters can keep up. Unlike traditional kits that host a copy of a login page—which we can easily hash and block—Starkiller uses a reverse proxy to serve the actual target website to the victim.

This means the HTML, CSS, and even the JavaScript loading behavior are identical to the legitimate site. The attacker acts as a 'man-in-the-middle,' relaying credentials and, crucially, the MFA tokens in real-time. Since the content is technically from the legitimate domain (just proxied), standard reputation-based web filters often miss it.

I've been looking into ways to detect this behavior on the client side, primarily by analyzing the DOM for injection hooks that these proxy tools often rely on to hijack session cookies. Here is a quick Python snippet using selenium to check for common network interception patterns often seen in these kits:

from selenium import webdriver
from selenium.webdriver.chrome.options import Options

def_check_proxy_hijack(url):
    options = Options()
    options.add_argument("--headless")
    driver = webdriver.Chrome(options=options)
    
    try:
        driver.get(url)
        # Check for window.performance hooks often used by proxy kits
        script = "return Object.keys(window.performance).length"
        key_count = driver.execute_script(script)
        
        # Heuristic: Unusually high key count suggests hook injection
        if key_count > 50: 
            return "Suspicious hooking detected"
        return "Likely clean"
    finally:
        driver.quit()

While this isn't foolproof, it gives us a heuristic to investigate. However, with real-time MFA bypassing becoming standard in these services, are we finally reaching the point where SMS/App-based TOTP is dead and FIDO2/WebAuthn is mandatory for everyone?