Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Crooks abuse GitHub platform to host phishing kits

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites. Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. Experts discovered that cybercriminals are abusing the GitHub service since at least mid-2017. […]

phishing Github sites

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites.

Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. Experts discovered that cybercriminals are abusing the GitHub service since at least mid-2017.

The phishing websites were hosted on the canonical $github_username.github.io domain. Attackers are using stolen brand graphics to make their pages resemble the brand they were abusing.

“Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical  $github_username.github.io domain.” reads the post published by Proofpoint. “threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing.”

The inspection of the lookalike GitHub account used by crooks revealed
the files in the phishing kit are viewable as follows, experts noticed that the HTML code is lightly encoded in order to obfuscate the content.

phishing Github sites

The code sends credentials provided by the users in an HTTP POST request to another compromised site under the control of the attackers.

The phishing kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services.

Experts observed that cybercriminals in some cases used the github.io domain as a traffic redirector with the intent to ensure that the actual phishing page remains live for a bit longer.

The drawback in using public GitHub accounts it that security researchers have major visibility into the threat actors’ activity and on the changes to their phishing pages.

Proofpoint identified a particular user, “greecpaid,” who manages several phishing kits hosted on GitHub repositories.

Proofpoint reported its findings to GitHub that took down the accounts hosting phishing kits.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes. 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – GitHub, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]