icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

GitHub Phishing Campaign Wipes Repos, Extorts Victims

Summary:
CronUp security researcher German Fernandez has shed light on a phishing and extortion campaign to target GitHub users. The campaign which has been ongoing for several months takes advantage of GitHub’s notification system and a malicious OAuth app to gain access to victims’ repositories and extort the contents for ransom. According to Fernandez, actors are mentioning GitHub usernames in comments, which triggers an email to be sent to the account owner. The comments left by the actors are designed to appear like an email from GitHub staff, offering the targeted user a job or alerting them of a supposed security breach. Embedded in the comments is a link to websites closely resembling GitHub domains (e.g. githubcareers[.]online and githubtalentcommunity[.]online) which if clicked on, prompts the user to give an external app access and control over their account and repositories via OAuth. In this case, actors have been observed using the access to wipe the contents of the user’s repositories and replace them with a README file that directs the victim to contact a user called “gitloker” on Telegram to recover their data.

Security Officer Comments:
Compromised accounts are being used to post further comments, in turn, triggering more notifications emails to be sent to victims. Given that these notifications are sent from a legitimate GitHub email address, notifications@github[.]com, users are more likely to fall for the lure.

Based on attacks observed so far, extortion is the main objective of these campaigns where contents stored in repositories are cleaned entirely and a ransom note is left behind for negotiations. However, this tactic of compromising GitHub user accounts could leveraged in supply chain attacks, where actors can their access to upload malicious code into repositories and infect end users with malware.

Suggested Corrections:
GitHub users should be cautious of email notifications coming from notifications@github[.]com and avoid clicking on links in suspicious messages. Furthermore, it’s advised to periodically review OAuth applications linked to GitHub accounts and revoke access to any that are unused or appear suspicious. In the event of a compromise, users should change their access tokens and password, and reset their two-factor authentication recovery codes.

Link(s):
https://www.scmagazine.com/news/github-phishing-campaign-wipes-repos-extorts-victims

Contact Us for Threat Assistance
Back to Current Threats