Read Time:2 Minute, 3 Second
Microsoft-owned code hosting service provider GitHub alerts users of a phishing campaign detected last September 16. GitHub discloses that the attack impacted many victim organisations.
According to the GitHub report, users were targeted by the threat actors by impersonating the CircleCI integration and delivery platform. The attack victims reported receiving messages suggesting the user’s CircleCI session had expired, requiring them to click the link provided and log back in using their GitHub credentials. At the same time, others reported having received an email instructing them to sign in to their GitHub accounts to accept the company’s new Terms of Use and Privacy Policy.
Once the victim clicks on the embedded link, they would be redirected to a site designed to look like the GitHub login page where it steals credentials entered. The attack was also intended to be able to penetrate users with TOTP-based two-factor authentication (2FA). The phishing site would relay TOTP codes to both the attacker and GitHub in real-time, allowing the threat actor to hack into accounts protected by TOTP-based 2FA.
Once complete, hackers create personal access tokens and authorise OAuth apps. GitHub observed that data exfiltration happens instantly once hackers get into the accounts. Upon further analysis, GitHub’s security also noted that hackers used VPN or proxy providers to download the stolen data. However, the company assures that accounts protected by hardware security keys are not vulnerable to attacks.
GitHub assured users with compromised accounts that it reset passwords and removed additional credentials placed by the hackers, then notified all affected users of the issue and provided further recommendations.
Furthermore, the company provided additional recommendations to users who believe they are impacted to follow the necessary steps to avoid losing their data, such as resetting their password and two-factor recovery codes and reviewing their access tokens and accounts to determine if there were unauthorised activities that occurred.
The report further advises its users, “To prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn 2FA. Also, consider using a browser-integrated password manager to autofill passwords for friendly websites.”
The GitHub report also reminds users that it is probably a phishing site if their password manager doesn’t recognise the website. The company reiterates to check the URL in the address bar “https://github.com/login” and that the site’s TLS certificate is issued to GitHub, Inc.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
