GitHub users are currently being targeted by a phishing campaign specifically designed to collect and steal their credentials via landing pages mimicking GitHub’s login page.
Besides taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to “those owned by organization accounts and other collaborators.”
“If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password,” GitHub’s Security Incident Response Team (SIRT) says.
GitHub’s SIRT published information on this ongoing phishing campaign dubbed Sawfish to increase awareness and allow users that might be targeted to protect their accounts and repositories.
Phishing attack targets active GitHub accounts
The phishing emails use various lures to trick targets into clicking the malicious link embedded in the messages: some say that unauthorized activity was detected, while others mention repository or settings changes to the targeted user’s account.
Users who get tricked and click to check their account’s activity are then redirected to a fake GitHub login page that collects their credentials and sends them to attacker-controlled servers.
The phishing landing page will also exfiltrate the victims’ 2FA codes in real-time if they’re using a time-based one-time password (TOTP) mobile app, making it possible for the attackers behind this campaign “to break into accounts protected by TOTP-based two-factor authentication.”
However, “[a]ccounts protected by hardware security keys are not vulnerable to this attack,” the Git repository hosting service’s SIRT explains.
This ongoing phishing campaign targets currently-active GitHub users working for tech companies from multiple countries using email addresses obtained from public commits.
The phishing emails are delivered from legitimate domains, either using previously-compromised email servers or with the help of stolen API credentials for legitimate bulk email service providers.
Attackers behind this campaign also make use of URL-shortening services designed to hide the landing pages’ URLs and have also been observed while chaining multiple URL-shortening services for enhanced obfuscation.
To further help them make the malicious links used in the attack look less suspicious, the threat actors also use PHP-based redirectors on compromised sites.
How to defend against these phishing attacks
Users that haven’t configured two-factor authentication for their GitHub accounts using a security key are advised by the Microsoft-owned company to:
- Reset their password immediately.
- Reset their two-factor recovery codes immediately.
- Review their personal access tokens.
- Take additional steps to review and secure their accounts.
“In order to prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn two-factor authentication,” GitHub also advises users. “Also consider using a browser-integrated password manager.”
“These provide a degree of phishing protection by auto-filling or otherwise recognizing only a legitimate domain for which you have previously saved a password.
“If your password manager doesn’t recognize the website you’re visiting, it might be a phishing site.”
One year ago,attackers were using Github’s platform to host their phishing kits by abusing the service’s free repositories to deliver them via github.io pages.