Representatives of the GitHub web service warned users of a massive phishing attack called Sawfish.Recently, users more and more often receive phishing emails with fake warnings about suspicious activity of a recorded account or strange changes made to the repository or settings.
“The links attached to such messages lead to a fake GitHub login page, created specifically to collect the victim’s credentials and transmit them to the attackers”, – argue GitHub representatives.
GitHub experts also note that this campaign has several noteworthy aspects. For example, a phishing page is capable of intercepting two-factor authentication codes that are generated using a TOTP application (time-based one-time password).
This allows attackers to attack 2FA protected accounts. It is emphasized that users with security keys are not affected by the problem.
Phishing emails often come from legitimate domains (which have been hacked). So, the list of phishing domains noticed by GitHub experts includes git-hub[.]Co, githb[.]Co, glthub[.]Net, glthubs[.]Com and corp-github[.]Com.
“At the same time, attacks targeted not at all users in a row, but mainly at active users working in large technology companies. Obviously, the attackers take the email addresses that the developers used for public commits”, – say GitHub researchers.
Attackers also actively use URL reduction services to hide the final phishing address (sometimes they combine several URL reduction services at once to more reliably confuse traces). In some cases, victims are first sent to a hacked legitimate site and only then directly to a phishing page.
If the attack succeeds and the recorded data fell into the hands of attackers, often hackers immediately download the entire contents of private repositories available to the compromised user (including those belonging to organizations and other employees).
Users who have suffered from these attacks are asked to immediately reset their password and two-factor recovery codes, view their access tokens and take additional measures to protect their account. In addition to hardware keys or WebAuthn 2FA, it is recommended to use password managers.
Let me remind you that recently I wrote that a site with SSL is no longer a guarantee not to fall for the bait – almost three quarters of modern phishing sites use SSL.