A new phishing attack wherein the cybercriminals are trying to impersonate CircleCI is targeting GitHub accounts. The attack is a phishing email where they try to "impersonate the continuous integration and delivery platform."
Cybercriminals are Impersonating CircleCI with Fake User Terms and Privacy Policy Changes
According to the story by Tech Radar, a phishing email is being sent to GitHub users giving them a warning that the user terms and privacy policy of CircleCI have changed. The email then prompts users to sign into their GitHub account in order for the new terms to be accepted.
Like a lot of other phishing attacks, the email then provides users with a link in order for the changes to be accepted. If victims click this link, they will then have their GitHub account credentials including their 2FA authentication codes stolen.
GitHub Itself has Not been Affected but Warns Users of the Attack
Bleeping Computer notes that users that use hardware security are not vulnerable to the attack since hackers will not be able to bypass their security measures. Those without, however, should avoid clicking unknown links at all costs.
GitHub warned its users that although GitHub itself has not become a victim of the attack, the campaign has already been successful in targeting a number of different victim organizations. CircleCI has also released an official notice trying to warn its users regarding the phishing attack.
Users are Urged to Change Their GitHub and CircleCI Credentials Should They have Accidentally Clicked the Link
The notice aims to raise awareness of the malicious campaign as it tries to explain that there would be no instances where they would ask users to enter their credentials in order for the terms of service to be viewed.
CircleCI's notice notes that any email that comes from the company should link directly to the circleci.com domain or any of its sub-domains. Users were also told that if they accidentally clicked the email, they should change their GitHub and CircleCI credentials immediately.
What Cybercriminals Would Do Once They Obtain Access from Victims
Users were also urged to audit their systems in order to check for any particular unauthorized activity. The article by Bleeping Computer notes that once valid account credentials are obtained, cybercriminals try to create personal access tokens (PATs) and authorize OAuth apps.
In some instances, cybercriminals try to add SSH keys to the account to continue even after a reset to the user's password has been done. GitHub has also reported that they were able to see content exfiltration coming from certain private repositories "almost immediately after compromise."
Read Also: Optus Cyberattack: 9.8 Milion Customers Hit by Largest Data Breach in Australia
GitHub has Taken Action and Suspended Accounts with Traces of Fraud
It was noted that hackers will be able to create new user accounts should the compromised account have permission from organization management. Cybercriminals will then be able to add the new accounts to the organization in order to maintain persistence.
GitHub has already suspended certain accounts where particular traces of fraud were spotted.
Related Article: FBI Investigates Hackers of GTA 6 and Uber, Teen Gang Leader Suspected
This article is owned by Tech Times
Written by Urian B.
