Security News > 2022 > September > Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts

GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication codes by impersonating the CircleCI DevOps platform.

The fraudulent messages claim to notify users that their CircleCI sessions have expired and that they should log in using GitHub credentials by clicking on a link.

Regardless of the lure, doing so redirects the target to a lookalike GitHub login page designed to steal and exfiltrate the entered credentials as well as the Time-based One Time Password codes in real-time to the attacker, effectively allowing a 2FA bypass.

The attacker has also been spotted downloading private repository contents, and even creating and adding new GitHub accounts to an organization should the compromised account have organization management permissions.

GitHub said it has taken steps to reset passwords and remove maliciously-added credentials for impacted users, alongside notifying those affected and suspending the actor-controlled accounts.

The latest phishing attack comes a little over five months after GitHub suffered a highly targeted campaign that resulted in the abuse of third-party OAuth user tokens maintained by Heroku and Travis CI to download private repositories.

News URL

https://thehackernews.com/2022/09/hackers-using-fake-circleci.html