GitHub Users

Till now, it seems that the current year, of course, 2020 is not being a good year in terms of computer security and other things as well, as COVID-19 has cursed everything. 

As recently, the Incident Response Team (SIRT) of the well-known portal, GitHub has warned users about a phishing campaign in which hackers have stolen credentials through the landing pages they pretend to be GitHub’s real pages.

Moreover, the campaign is known as Sawfish, and during the campaign, the cybercriminals not only hack into other people’s accounts but also immediately upload the entire contents of their repositories. 

However, apart from all these things, the Incident Response Team (SIRT) has reported that “if an attacker successfully steals the credentials of a GitHub user, then he/she can easily and quickly create access tokens or authorize OAuth applications in order to maintain access to the account in case the user changes his/her password.”

Basically, the primary tool to access the accounts is email. Yes, the attack simply begins with the phishing email, in which attackers simply use various tricks to get recipients to click on the malicious link included in the text.

If the victim clicks on the link provided in the email by the attackers, then the user will be taken to a fake GitHub authorization page that simply sends the credentials entered by the user to the servers controlled by the attackers.

Moreover, apart from all these things, the accounts that are protected by two-factor authentication based on TOTP technology can also become the victims of this attack. But, hold on, the user who has their accounts protected with hardware keys will not be vulnerable to this attack.

How to protect yourself

First of all, if you think that you might have entered your credentials on a phishing page then simply you should follow the following steps that we have mentioned below:-

  • Immediately reset your password.
  • Immediately reset your two-factor recovery codes.
  • Review your access tokens.
  • Take extra measures to analyze and secure your account.

Known phishing domains

According to the portal, here is a list of phishing domains, but the fact is that most of these domains are already offline. However, we should stay alert, as the hackers usually create new domains and continue to do these types of activities:-

  • aws-update[.]net
  • corp-github[.]com
  • ensure-https[.]com
  • git-hub[.]co
  • git-secure-service[.]in
  • githb[.]co
  • glt-app[.]net
  • glt-hub[.]com
  • glthub[.]co
  • glthub[.]info
  • glthub[.]net
  • glthubb[.]info
  • glthube[.]app
  • glthubs[.]com
  • glthubs[.]info
  • glthubs[.]net
  • glthubse[.]info
  • slack-app[.]net
  • ssl-connection[.]net
  • sso-github[.]com
  • sts-github[.]com
  • tsl-github[.]com

According to the Incident Response Team (SIRT), the campaign is still active, and the cybercriminals are only targeting the active accounts owned by the well-known technology companies around the world. However, despite all these things, we recommend you all to change your password right now simply to ensure the security of your account.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.