GitHub users are being targeted by a Sawfish phishing campaign designed to steal their GitHub login credentials and time-based one-time password (TOTP) codes.
The attack, referred to as Sawfish by GitHub SIRT, comes through a Github message that claims the target’s account has experienced unauthorized activity of some type, GitHub SIRT wrote in a blog. A handy link to rectify the situation is included where the alterations can be viewed.
The link, in fact, turns out to be a redirect to a phishing website that mimics the GitHub login page. Here the victim’s credentials are harvested. For those using TOTP two-factor authentication the malicious site takes and sends the codes in real time to the attacker allowing the GitHub account to be instantly accessed.
In some cases this access is used to grab and download repositories contents, GitHub SIRT said.
Accounts protected by hardware security keys are not vulnerable to this attack.
GitHub SIRT listed six TTPs being used by the threat actors behind the campaign.
- The phishing email is sourced from legitimate domains, using compromised email servers or stolen API credentials for legitimate bulk email providers.
- Targets currently-active GitHub users across many companies in the tech sector and in multiple countries via email addresses used for public commits.
- Use of URL-shortening services to conceal the true destination of the malicious link.
- Use of PHP-based redirectors on compromised websites to redirect the victim from a less suspicious-looking URL to another malicious one.
- If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password.
- In many cases, the attacker immediately downloads private repository contents accessible to the compromised user, including those owned by organization accounts and other collaborators.
Github administrators are actively searching for the phishing sites being used and when found filing takedown requests. They also suggest switching from TOTP two-factor authentication to a hardware key or WebAuthn two-factor authentication.
Additionally, if any user believes they have clicked on a fraudulent message they should immediately reset their login credentials.