A recent phishing campaign has been identified targeting developers through the exploitation of GitHub’s legitimate infrastructure. This sophisticated attack poses a significant threat to corporate information security, particularly for developers with administrative access to company repositories.

The attack begins with an email supposedly sent from a legitimate GitHub address, offering an attractive job opportunity with a salary of $180,000 per year along with generous benefits. Recipients are lured into applying for the position via a link provided in the email. Despite the email originating from a genuine address, there are several red flags pointing towards its malicious intent. The email subject often does not align with the job offer, and the use of a notification address for job offers is uncommon. Furthermore, the email lists several GitHub usernames, adding to the suspicion.

If recipients click on the link provided in the email, they are directed to a fake GitHub career site, such as githubtalentcommunity[.]online or githubcareers[.]online. Here, developers are asked to log in to their GitHub accounts and authorize a malicious OAuth application. This application requests extensive permissions, including access to private repositories and the ability to delete them.

According to reports from Kaspersky, once the malicious OAuth application is authorized, attackers exploit the granted permissions by emptying the victim’s repositories, renaming them, and leaving behind a single README.me file. This file contains a ransom note stating that a data backup has been made and instructing the victim to contact a Gitloker user on Telegram to restore the data.

The attackers send these phishing emails through GitHub’s discussion system, using compromised accounts to create messages under various topics and tag multiple users. All tagged users receive emails from a legitimate email address, making the attack seem more credible. These messages are often deleted immediately after being sent, making detection more challenging.

To protect against GitHub phishing attacks, developers are advised to scrutinize email details, avoid clicking suspicious links, and be cautious with OAuth applications. By following these recommendations, developers can help safeguard themselves and their organizations against malicious phishing campaigns.

As attackers continue to refine their methods, awareness and proactive measures remain crucial in defending against such threats. Staying vigilant and implementing security best practices can go a long way in mitigating the risk posed by sophisticated phishing attacks.

Source link