GitHub users are targeted by a phishing campaign

GitHub users are targeted by a  phishing campaign designed to steal their GitHub login credentials and time-based one-time password (totp) codes.

The attack, referred to Sawfish by GitHub SIRT, comes through a Github message that claims the target account has experienced unauthorized activity of some type, GitHub SIRT wrote in a blog. A handy link to rectify the situation is included where the alterations can be viewed.

The link, in fact, turns out to be a redirect to a phishing website that mimics the GitHub login page. Here the victim’s credentials are harvested. For those using totp two-factor authentication the malicious site takes and sends the codes in real time to the attacker allowing the GitHub account to be instantly accessed.

In some cases this access is used to grab and download repositories contents, GitHub SIRT said.

Accountt protect by hardware security keys are not vulnerable to this attack.

GitHub SIRT listed six ttps being used by the threat actors behind the campaign.

The phishing email is sourced from legitimate domains, using compromised email servers or stolen API credentials for legitimate bulk email providers.

Targets currently-active GitHub users across many companies in the tech sector and in multiple countries via email addresses used for public commits.

Use of URL-shortening services to conceal the true destination of the malicious link.

Use of PHP-based redirectors on compromised websites to redirect the victim from a less suspicious-looking URL to another malicious one.

In many cases, the attacker quickly downloads private repository contents accessible to the compromised user, including those owned by organization accounts and other collaborators.

Github administrators are searching for the phishing sites being used and when found filing takedown requests. They also suggest switching from totp two-factor authentication to a hardware key or webauthn two-factor authentication.

If any user thinks they have clicked on a fraudulent message they should quickly reset their login credentials.