A new phishing scheme has been affecting GitHub developers, with attackers assuming the identities of GitHub’s security and recruitment teams. Active since February, this campaign leverages malicious OAuth apps to expropriate repositories.
Developers are drawn in via deceptive job offers or security alerts originating from “[email protected]” following spam comments tagged on various issues or pull requests. The campaign, identified by Germán Fernández from CronUp, uses the moniker Gitloker on Telegram, posing as a cyber incident analyst.
UPDATE: Apparently this campaign is ongoing possibly since February, and also, it could be that the attackers are abusing another feature of GitHub (mention notifications?) 🤔
Two domains used in these campaigns:
▪ githubcareers[.]online
▪ githubtalentcommunity[.]onlineMore… pic.twitter.com/G6LLNIiG0o
— Germán Fernández (@1ZRR4H) June 7, 2024
Tactics Involving Deceptive Domains
Phishing emails redirect recipients to webpages such as githubcareers[.]online or githubtalentcommunity[.]online. These fake sites prompt victims to log into their GitHub accounts and grant a new OAuth app extensive permissions, including access to private repositories and administrative controls. Once approved, these malicious apps enable the attackers to commandeer the victims’ repositories.
Victims often discover their accounts disabled and repositories wiped after being reported for spam. Attackers typically rename repositories, leaving a README.me file that directs victims to contact them via Telegram to recover their data. They claim to have stolen the data and offer a purported backup for restoration.
Recommendations for Users
GitHub has been responding to user concerns since identifying the campaign. A community manager acknowledged the inconvenience and reassured users that efforts are being made to resolve the issue. Suspicious activities should be reported through GitHub’s abuse tools.
GitHub advises users to be wary of links in suspicious notifications and report them, and to avoid authorizing unfamiliar OAuth apps, as these can expose data. GitHub users are urged to change passwords to avert unauthorized actions, such as app authorizations or team modifications. Enabling two-factor authentication, adding a passkey for passwordless login, and regularly reviewing authorized SSH keys and apps are recommended to bolster security. Users should verify email addresses associated with the account, review security logs for repository changes, manage webhooks, and revoke any new deploy keys.
In 2022, Threat actors were able to breach the source code of identity and access management software provider Okta, by accessing its source code repositories.
In September 2020, GitHub flagged a phishing scam involving bogus CircleCI notifications intended to steal credentials and two-factor authentication codes using reverse proxies. In March 2020, Microsoft’s GitHub account was breached, resulting in the theft of over 500GB of files from private repositories—highlighting concerns about the potential exposure of private data. The stolen data was initially intended for sale but was later leaked for free by a hacker known as ShinyHunters.
The New York Times recently verified a security breach involving its GitHub repositories, resulting in 270GB of data being posted on the 4chan forum. This incident, which took place in January 2024, led to the unauthorized disclosure of internal source code and other confidential files.
Last Updated on November 7, 2024 7:42 pm CET