1 min read

GitHub Warns Users of Ongoing CircleCI Phishing Campaign

Silviu STAHIE

September 26, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
GitHub Warns Users of Ongoing CircleCI Phishing Campaign

GitHub security researchers have discovered criminals target their users by sending them messages seemingly from CircleCI, a delivery platform used to implement DevOps practices.

Many companies use GitHub daily and rely heavily on its services. For criminals, this only means one thing: another company to impersonate to steal credentials from its customers.

In the current campaign, GitHub users who rely on CircleCI for their projects received emails with simple statements regarding expired sessions. Of course, threat actors try to prompt potential victims to click on links and use their GitHub credentials.

What makes this attack different from those normally seen in the wild is that attackers designed the campaign to target accounts protected by 2FA as well.

“Clicking the link takes the user to a phishing site that looks like the GitHub login page but steals any credentials entered,” explained the security researchers. “For users with TOTP-based two-factor authentication (2FA) enabled, the phishing site also relays any TOTP codes to the threat actor and GitHub in real time, allowing the threat actor to break into accounts protected by TOTP-based 2FA.”

If the attack on a user succeeds, criminals could create GitHub personal access tokens (PATs) or even add SSH keys to the account, so it doesn’t matter if the user changes the password. They also download any repositories the hack exposes and even create new GitHub user accounts if the victim’s account has the correct permissions.

The campaign is all the more convincing because the domains used in the phishing attack are very similar to the official ones.

· circle-ci[.]com
· emails-circleci[.]com
· circle-cl[.]com
· email-circleci[.]com

GitHub already removed threat actor-added credentials for impacted users and issued notifications to all affected accounts. While GitHub removed all accounts controlled by attackers, it’s still a good idea to watch out for suspicious emails or messages.

As usual, users with hardware security keys haven’t been affected. GitHub also advised users to switch to WebAuthn for more security.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find
Silviu STAHIE

November 29, 2022

1 min read
Apple Users Report Seeing Other People's Photos When Using iCloud for Windows Apple Users Report Seeing Other People's Photos When Using iCloud for Windows
Silviu STAHIE

November 25, 2022

1 min read
How SIM Swapping Attacks Work and How to Protect Yourself How SIM Swapping Attacks Work and How to Protect Yourself
Filip TRUȚĂ

November 25, 2022

3 min read