GitHub accounts are being targeted in an ongoing phishing campaign

GitHub accounts are being targeted in an ongoing phishing campaign

by Posted on

Microsoft owned code hosting platform “GitHub” is being targeted in an ongoing Sawfish phishing campaign that is specifically designed to steal user credentials of the GitHub customers using a phishing site.

According to GitHub, the ongoing Sawfish phishing campaign displays a message to the GitHub users saying that “the repository or setting in a GitHub user’s account has changed or that unauthorized activity has been detected.”

“The message goes on to invite users to click on a malicious link to review the change. Specific details may vary since there are many different lure messages in use”, says GitHub.

Github accounts are being targeted with the phishing emails
Image: Typical example of a phishing email sent in Sawfish phishing campaign (GitHub)

As shown in an image above, if a user clicks on the malicious link, it redirects to a fake landing page that is mimicking the original login page of GitHub and steals user credentials.

Using this fake landing page, the hacker can also bypass the GitHub user accounts that are protected by the TOTP-based Two-factor authentication.

Whereas, accounts protected by hardware security keys are not vulnerable to this attack.

The Sawfish phishing campaign is leveraging phishing emails that are sourced from the legitimate domains, using compromised email servers or stolen API credentials for legitimate bulk email providers.

Companies specifically in the tech sector are being targeted by this campaign.

“If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password.”, says GitHub’s security incident response team (SIRT).

To protect against Sawfish attack, GitHub recommends its users to follow these instructions:

“In order to prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn two-factor authentication. Also, consider using a browser-integrated password manager.”, Github SIRT further suggests.

GitHub also provided a list of phishing domains used for phishing by cybercriminals:

aws-update[.]net
corp-github[.]com
ensure-https[.]com
git-hub[.]co
git-secure-service[.]in
githb[.]co
glt-app[.]net
glt-hub[.]com
glthub[.]co
glthub[.]info
glthub[.]net
glthubb[.]info
glthube[.]app
glthubs[.]com
glthubs[.]info
glthubs[.]net
glthubse[.]info
slack-app[.]net
ssl-connection[.]net
sso-github[.]com
sts-github[.]com
tsl-github[.]com
Share with your friends:

Published by Kanishk Tagade

Founder and Editor at QuickCyber. Kanishk is a cybersecurity enthusiast, security researcher, and an enterprise growth marketer. He's also a community member of the Nasscom community and corporate contributor at many technology magazines and security awareness platforms. He is also a social micro-influencer for cybersecurity, Infosecurity, digital transformation, and artificial intelligence technologies.

Leave a Reply

Your email address will not be published. Required fields are marked *