GitHub Warns Users of Ongoing CircleCI Phishing Campaign
GitHub security researchers have discovered criminals target their users by sending them messages seemingly from CircleCI, a delivery platform used to implement DevOps practices.
Many companies use GitHub daily and rely heavily on its services. For criminals, this only means one thing: another company to impersonate to steal credentials from its customers.
In the current campaign, GitHub users who rely on CircleCI for their projects received emails with simple statements regarding expired sessions. Of course, threat actors try to prompt potential victims to click on links and use their GitHub credentials.
What makes this attack different from those normally seen in the wild is that attackers designed the campaign to target accounts protected by 2FA as well.
“Clicking the link takes the user to a phishing site that looks like the GitHub login page but steals any credentials entered,” explained the security researchers. “For users with TOTP-based two-factor authentication (2FA) enabled, the phishing site also relays any TOTP codes to the threat actor and GitHub in real time, allowing the threat actor to break into accounts protected by TOTP-based 2FA.”
If the attack on a user succeeds, criminals could create GitHub personal access tokens (PATs) or even add SSH keys to the account, so it doesn’t matter if the user changes the password. They also download any repositories the hack exposes and even create new GitHub user accounts if the victim’s account has the correct permissions.
The campaign is all the more convincing because the domains used in the phishing attack are very similar to the official ones.
GitHub already removed threat actor-added credentials for impacted users and issued notifications to all affected accounts. While GitHub removed all accounts controlled by attackers, it’s still a good idea to watch out for suspicious emails or messages.
As usual, users with hardware security keys haven’t been affected. GitHub also advised users to switch to WebAuthn for more security.
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022