GitHub security researchers have discovered criminals target their users by sending them messages seemingly from CircleCI, a delivery platform used to implement DevOps practices.
Many companies use GitHub daily and rely heavily on its services. For criminals, this only means one thing: another company to impersonate to steal credentials from its customers.
In the current campaign, GitHub users who rely on CircleCI for their projects received emails with simple statements regarding expired sessions. Of course, threat actors try to prompt potential victims to click on links and use their GitHub credentials.
What makes this attack different from those normally seen in the wild is that attackers designed the campaign to target accounts protected by 2FA as well.
“Clicking the link takes the user to a phishing site that looks like the GitHub login page but steals any credentials entered,” explained the security researchers. “For users with TOTP-based two-factor authentication (2FA) enabled, the phishing site also relays any TOTP codes to the threat actor and GitHub in real time, allowing the threat actor to break into accounts protected by TOTP-based 2FA.”
If the attack on a user succeeds, criminals could create GitHub personal access tokens (PATs) or even add SSH keys to the account, so it doesn’t matter if the user changes the password. They also download any repositories the hack exposes and even create new GitHub user accounts if the victim’s account has the correct permissions.
The campaign is all the more convincing because the domains used in the phishing attack are very similar to the official ones.
GitHub already removed threat actor-added credentials for impacted users and issued notifications to all affected accounts. While GitHub removed all accounts controlled by attackers, it’s still a good idea to watch out for suspicious emails or messages.
As usual, users with hardware security keys haven’t been affected. GitHub also advised users to switch to WebAuthn for more security.