Cybercriminals pose as (opens in a new tab) CircleCI to try to steal GitHub accounts, both companies have confirmed.
According to the two companies, the criminals are currently distributing a phishing email, in which they impersonate the continuous integration and delivery platform, CircleCI.
As expected, there is a link at the bottom of the email that recipients can click to “accept” the changes. Those who do so risk having their GitHub account credentials stolen, as well as two-factor authentication (2FA) codes, as attackers transmit this information through reverse proxies. According to computer bleedingusers with hardware security keys are not vulnerable.
“While GitHub itself was not affected, many victim organizations have been impacted by the campaign,” GitHub said in its warning.
Multiple attack domains
CircleCI also posted an announcement on its forums, warning users about the ongoing attack and reiterating that the company will never ask users to enter any credentials to view ToS changes.
“Any email from CircleCI should only include links to circleci.com or its subdomains,” the company emphasized.
So far, several domains have been confirmed to distribute the phishing email:
Attackers go after GitHub developers (opens in a new tab) accounts, and if they do manage to get into one, the next thing they’ll do is create personal access tokens (PATs), authorize OAuth apps, and even add SSH keys to the account, to make sure they retain access even after the owners change the account. password.
After that, GitHub added, they will pull data from private repositories. Since then, the company has blocked several accounts, which were confirmed to be compromised. All potentially affected users have had their account passwords reset.
Via: computer bleeding (opens in a new tab)