GitHub users are currently being targeted by a phishing campaign specifically designed to collect and steal their credentials via landing pages mimicking GitHub’s login page, just a couple of weeks after the announce to start a new service Github Sponsors.
Besides taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to “those owned by organization accounts and other collaborators.”
“If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password,” GitHub’s Security Incident Response Team (SIRT) says.
GitHub’s SIRT published information on this ongoing phishing campaign dubbed Sawfish to increase awareness and allow users that might be targeted to protect their accounts and repositories.
Phishing attack targets active GitHub accounts
The phishing emails use various lures to trick targets into clicking the malicious link embedded in the messages: some say that unauthorized activity was detected, while others mention repository or settings changes to the targeted user’s account.
Users who get tricked and click to check their account’s activity are then redirected to a fake GitHub login page that collects their credentials and sends them to attacker-controlled servers.
The phishing landing page will also exfiltrate the victims’ 2FA codes in real-time if they’re using a time-based one-time password (TOTP) mobile app, making it possible for the attackers behind this campaign “to break into accounts protected by TOTP-based two-factor authentication.”
However, “[a]ccounts protected by hardware security keys are not vulnerable to this attack,” the Git repository hosting service’s SIRT explains.