Go to listing page

Attackers abuse Github service to host phishing websites

Attackers abuse Github service to host phishing websites
  • Researchers from Proofpoint observed that repositories in Github service have been abused by attackers to carry out a phishing campaign.
  • This phishing email campaign redirects recipients to a landing page hosted on Github service and opens a login form that harvests login credentials of victims.

What is the issue - Researchers observed that attackers have been abusing free code repositories in the Github service to host a variety of phishing websites on github.io domains.

Why it matters - These repositories in Github service have been abused by attackers to carry out a wide variety of malicious activities including phishing campaign.

The big picture

Researchers from Proofpoint observed that repositories in Github service have been abused by attackers to carry out a phishing campaign. While some attackers use the github.io domains as a traffic redirector.

  • This phishing email campaign redirects recipients to a landing page hosted on Github service.
  • The phishing landing page opens a login form that harvests login credentials of victims.
  • The collected credentials and sensitive information are then sent to other compromised servers controlled by the attackers behind the phishing campaign.

Researchers noted that the phishing kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services.

“In contrast to private paid accounts, due to the nature of public GitHub accounts, we were able to observe when actors made changes to their hosted web pages. This visibility may help give insight to the nature of edits performed on phishing kits that were not written from scratch. As most kits are not written from scratch and are instead simply modified by different actors to suit their individual purposes, this level of visibility may be useful for defenders tracking actor behavior and attribution,” researchers wrote in a blog.

Cyware Publisher

Publisher

Cyware