Phishing on GitHub through job offers to… developers

Developers’ accounts are being hijacked using fake job offers sent from a legitimate GitHub address.

Hijacking GitHub accounts using phishing emails

We recently wrote about how attackers have learned to use legitimate social media infrastructure to deliver plausible-looking warnings about the blocking of business accounts, leading to password theft. It turns out that for several months now, a very similar method has been used to attack developer accounts on GitHub, which is a cause for concern for corporate information security teams (especially if developers have administrative access to corporate related repositories on GitHub). Let’s explore how this attack works.

GitHub account hijacking

Victims of this attack receive emails sent from a genuine GitHub email address. The emails claim that the GitHub team is looking for an experienced developer and offering attractive conditions — $180,000 per year plus a generous benefits package. If interested in the position, the recipient is invited to apply via a link.

Phishing email from GitHub with a job offer

The attack begins with an email: GitHub is supposedly seeking a developer for a $180,000 annual salary. Source

These emails do come from notifications@github.com, which really belongs to the service. However, an astute recipient might wonder why the HR team is using the notification address for job offers. They might also be puzzled that the email subject has nothing to do with the job offer, and instead ends with a list of several GitHub usernames.

However, the email’s authors send it out en masse, so they probably aren’t too worried about losing a few potential targets here. The attackers are satisfied with the small number of recipients who’ll be too distracted by the salary to notice the discrepancies.

Clicking the link in the email takes the recipient to a page that pretends to be the GitHub career site. Specifically, the addresses githubtalentcommunity[.]online and githubcareers[.]online have been used in this campaign — but these phishing sites are no longer available.

Phishing career site on GitHub

On the linked site, recipients are asked to authorize a malicious OAuth application. Source

On the site, developers interested in the position are asked to log in to their GitHub account and authorize a new OAuth application. This application requests numerous permissions — including access to private repositories, personal data, and discussions, as well as the ability to delete any repository managed by the targeted user.

Malicious OAuth application permission request

The OAuth application requests a number of dangerous permissions. Source

Besides job offers, another type of email has been observed, claiming that GitHub had been hacked and the GitHub security team requires the user’s authorization to eliminate the consequences of the hack.

Phishing email warning about a GitHub hack

Phishing email variant warning of a GitHub hack. Source

The next thing: repository wipe and ransom demand

If an inattentive developer grants the malicious OAuth application all the requested permissions, the attackers begin exploiting them. They empty all the victim’s repositories and then rename them — leaving behind only a single README.me file.

Hijacked repositories on GitHub

Hijacked and emptied repositories on GitHub with ransom notes left by the attackers. Source

The file contains a message stating that the data has been compromised, but that a backup has been made. To restore the data, the victim is instructed to contact a user named Gitloker on Telegram.

It appears that these emails are sent using the GitHub discussion system. That is, the attackers use already compromised accounts to create messages with the email text under various topics, tagging several users. As a result, all the tagged users receive emails from the notifications@github.com address. These messages are likely deleted immediately after sending.

How to protect against such attacks on GitHub accounts

Experienced users and developers often consider themselves to be immune to phishing attacks. However, as this story shows, they can also be caught off guard: the operators of this phishing campaign have already managed to compromise and wipe dozens of repositories.

To prevent your developers from falling victim to this attack, give them the following recommendations:

  • Always carefully check all details of an email and compare its subject, text, and sender address. Any discrepancies are almost certainly signs of a phishing attempt rather than accidental errors.
  • If you receive a similar email from GitHub, don’t click any links in it, and report the email to GitHub support.
  • Never authorize unknown OAuth applications — this story shows how serious the consequences can be.
  • Periodically review the list of authorized OAuth applications in your GitHub account, and remove any suspicious ones.

We recommend the following to companies:

  • Use a reliable security solution with phishing protection on all devices, which will warn of dangers and block malicious sites in time.
  • Conduct regular information security training for employees, including developers. Experience with IT systems doesn’t guarantee safety; the necessary skills must be developed specifically. For example, you can use our interactive educational platform, the Kaspersky Automated Security Awareness Platform.
Tips