GitHub warns that a large-scale phishing campaign aimed at users began on September 16: scammers send emails with fake notifications on behalf of the Circle CI service, which is used for continuous development and deployment.
Let me remind you that we also said that GitHub will replace the term “master” with a more neutral one, and also that GitHub Developers Review Exploit Posting Policy Due to Scandal.
As you might guess, the goal of attackers is to steal credentials from GitHub and two-factor authentication codes that are transmitted to attackers through reverse proxies. Once credentials are obtained, attackers have been known to create personal access tokens (PATs), authorize OAuth applications, and sometimes add SSH keys to retain access to accounts even after password resets.
The phishing domains used by the attackers are trying to mimic the real CircleCI domain (circleci.com). The following counterfeits have been confirmed so far:
GitHub reports that there are data leaks from private repositories immediately after breaches, with attackers using VPNs and proxies to make it harder to trace. If the compromised account has high privileges, the hackers create new accounts in order to retain access to the target in the future.
It is reported that GitHub specialists have now suspended accounts for which suspicious activity has been identified. Affected users’ passwords have been reset and they should be notified of the incident.