Hackers Use CircleCI Fake Notifications to Access GitHub Accounts

fake notifications from CircleCI

GitHub warns that a large-scale phishing campaign aimed at users began on September 16: scammers send emails with fake notifications on behalf of the Circle CI service, which is used for continuous development and deployment.

Let me remind you that we also said that GitHub will replace the term “master” with a more neutral one, and also that GitHub Developers Review Exploit Posting Policy Due to Scandal.

These fake messages inform recipients of changes to the privacy policy and terms of use, which ostensibly requires people to sign into their GitHub account and accept the changes.

fake notifications from CircleCI

As you might guess, the goal of attackers is to steal credentials from GitHub and two-factor authentication codes that are transmitted to attackers through reverse proxies. Once credentials are obtained, attackers have been known to create personal access tokens (PATs), authorize OAuth applications, and sometimes add SSH keys to retain access to accounts even after password resets.

While GitHub itself was unaffected, many organizations were affected by this campaign.GitHub said.

CircleCI representatives also warned users about fakes and tried to draw attention to this malicious campaign. CircleCI emphasizes that the service would never ask users to enter credentials to view changes to the privacy policy and terms of use.

Any emails from CircleCI must only contain links to circleci.com or its subdomains.the company says.

The phishing domains used by the attackers are trying to mimic the real CircleCI domain (circleci.com). The following counterfeits have been confirmed so far:

  1. circle-ci[.]com
  2. emails-circleci[.]com
  3. circle-cl[.]com
  4. email-circleci[.]com

GitHub reports that there are data leaks from private repositories immediately after breaches, with attackers using VPNs and proxies to make it harder to trace. If the compromised account has high privileges, the hackers create new accounts in order to retain access to the target in the future.

It is reported that GitHub specialists have now suspended accounts for which suspicious activity has been identified. Affected users’ passwords have been reset and they should be notified of the incident.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *