Hosting service GitHub and software company CircleCI are alerting their users of a phishing scam detected on September 16. As per reports, the scammers are sending emails to GitHub through CircleCI to gather user credentials and two-factor authentication (2FA) codes.
How users are targeted
Following the attack, GitHub, the internal hosting service for software development, asked its users to stay alert of such scammers, who are trying to steal account credentials and two-factor codes. However, the report added that the users who opted for multi-factor authentication (MFA) and used hardware security keys for multi-factor authentication were not vulnerable to the phishing links that relayed details through reverse proxies.
While GitHub assured in its security alert that the website was not impacted due to the cyberattack, the company added that other organizations might have been compromised. Several users received fake messages stating that their CircleCI sessions had expired, following which they were required to log in again. However, to do the same, they were taken to a hoax GitHub login page.
Some of the phishing domains released in the report are:
CircleCI alerts users
CircleCI also posted a security alert last week informing users about the phishing campaign, adding that the company would never ask users to log in to review updates to terms of service. Moreover, the company urged users who might have clicked on the phishing links to change their password and check their systems for any suspicious activities.
What attackers can do after successfully harvesting credentials
Scammers can create GitHub personal access tokens (PATs), authorize OAuth applications, and add SSH keys for continued access to the site, even if the user changes their password. Moreover, they can download content and create new GitHub user accounts that otherwise require management intervention.
The companies have alerted users, but the attacks are still ongoing, leaving many vulnerable. Hence, users have been asked to maintain caution while clicking on links that require their login details.