GitHub phishing campaign wipes repos, extorts victims

GitHub users are being targeted by a phishing and extortion campaign that leverages the site’s notification system and a malicious OAuth app to swindle victims.

A GitHub Community discussion opened in February shows that campaign has been ongoing for nearly four months, with a social media post by CronUp Security Researcher Germán Fernández shedding new light on the scam last week.

Targets are roped into the scam when their username is mentioned (i.e. tagged) in a comment, which triggers an email to be sent to them from [email protected], a legitimate GitHub email address.

The comments left by the attacker are designed to appear like an email from GitHub staff, and an unsuspecting user who receives the notification email may not realize they are reading the contents of a comment they were mentioned rather than an email sent directly from GitHub.

Screenshots from GitHub Community discussions show the only signs that the email originates from a comment they were tagged in are the subject line, which begins with “Re:”, and a line at the bottom of the email that states, “You are receiving this because you were mentioned.”

The phishing comments purport to be from GitHub staff offering the user a job or alerting the user to a supposed security breach. The comments include a link to websites resembling GitHub domains, including githubcareers[.]online and githubtalentcommunity[.]online, which leads targets to a prompt to give an external app certain access and control over their account and repositories via OAuth.

If this request is approved, the attacker wipes the contents of the user’s repos and replaces them with a README file directing the user to contact a user called “gitloker” on Telegram in order to recover their data. The Gitloker threat actor also uses compromised accounts to post more comments triggering more phishing emails, putting the victims’ accounts in danger of deletion due to other users reporting the scam.

“Threat actors spoofing legitimate companies in order to gain access to content is nothing new, however, it is unusual for threat actors to go to such lengths in order to obtain access. What is even more unusual is that after the threat actors obtain access, they appear to only use the accounts for extortion rather than performing more advanced actions like uploading malware to the repos to infect more people,” said Max Gannon, cyber intelligence team manager at Cofense, in an email to SC Media.

Gannon noted that Gitloker claims to have made copies of the data and may also be looking for credentials and vulnerabilities, but also might be a low-skill attacker looking for a quick buck through their extortion scheme. Regardless, the Gitloker attacks demonstrate the potential for supply chain attacks via GitHub and “reinforces the fact that companies need to keep track of whose code they use and if the sources for the code have been compromised,” Gannon said.

Fernández’s post includes more evidence of other extortion scams tied to the Gitloker telegram, including one from April threatening to leak confidential information allegedly found in an organization’s GitHub repos if a $250,000 payment isn’t made, and another from early February demanding $1,000 within 24 hours to prevent the exposure of data from an unspecified compromised source.

Protecting your GitHub account from Gitloker and similar scams

GitHub has been aware of the Gitloker phishing and extortion campaign since at least February, with a staff member saying under a Community discussion, “Our teams are currently working on addressing these unsolicited phishing notifications.”

In addition to recommending users take advantage of GitHub’s abuse reporting tools to inform them of spam messages, the staff member advised users not to click links from or reply to the suspicious messages, to be wary of authorizing OAuth apps that can expose one’s GitHub data to a third party and to periodically review the authorized OAuth apps tied to one’s account. Users should revoke access to any unused or suspicious OAuth apps.

The staff member also noted that GitHub does not recruit talent through any form of public notification and that the phishing campaign is not the result of any compromise of GitHub itself.

A GitHub spokesperson also told SC Media that users should review their active GitHub sessions and personal access tokens, change their GitHub password and reset their two-factor recovery codes if they believe their account may have been compromised.

“GitHub investigates all reports of abusive or suspicious activity across our platform and takes action when content or activity violates our Acceptable Use Policies,” the GitHub spokesperson stated in an email.

GitHub did not address questions about whether any changes have been made to its notification system in response to the campaign and how prevalent the campaign was across the site as of June.

Jason Kent, hacker in residence at Cequence Security, offered more advice for GitHub users in an email to SC Media.

“Make sure you know the application you are hooking into your repo is legit. How do you know that? Assume all contact is phishing and verify the source. Also, before you do any of this, ask on GitHubs forums if this OAUTH service is legitimate and has been used successfully,” Kent said. “Have a backup strategy that doesn’t include GitHub. Be able to recover if the entire service goes down and you will be ready in the event someone deletes your repo.”