Sawfish phishing campaign targets GitHub users

Over the last week, GitHub has received reports related to a phishing campaign targeting our customers. We’re publishing this blog to increase awareness of this ongoing threat.

Background

The phishing message claims that a repository or setting in a GitHub user’s account has changed or that unauthorized activity has been detected. The message goes on to invite users to click on a malicious link to review the change. Specific details may vary since there are many different lure messages in use. Here’s a typical example:

Clicking the link takes the user to a phishing site mimicking the GitHub login page, which steals any credentials entered. For users with TOTP-based two-factor authentication enabled, the site also relays any TOTP codes to the attacker and GitHub in real-time, allowing the attacker to break into accounts protected by TOTP-based two-factor authentication. Accounts protected by hardware security keys are not vulnerable to this attack.

The attacker uses the following tactics, but not all tactics are used in every case:

The phishing email is sourced from legitimate domains, using compromised email servers or stolen API credentials for legitimate bulk email providers.
Targeting of currently-active GitHub users across many companies in the tech sector and in multiple countries via email addresses used for public commits.
Use of URL-shortening services to conceal the true destination of the malicious link. Sometimes the attacker chains multiple URL-shortening services for further obfuscation.
Use of PHP-based redirectors on compromised websites to redirect the victim from a less suspicious-looking URL to another malicious one.
If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password.
In many cases, the attacker immediately downloads private repository contents accessible to the compromised user, including those owned by organization accounts and other collaborators.

What GitHub is doing

GitHub Security is monitoring for new phishing sites while filing abuse reports and takedown requests. We’re committed to enabling users and organizations to better secure their accounts and data, and provide assistance securing accounts and investigating activity associated with compromised accounts.

GitHub is working tirelessly to make existing security features more accessible, as well as adding new features designed to make user accounts significantly harder to compromise.

How to protect yourself

If you believe you may have entered credentials on a phishing site:

Reset your password immediately.
Reset your two-factor recovery codes immediately.
Review your personal access tokens.
Take additional steps to review and secure your account.

In order to prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn two-factor authentication. Also consider using a browser-integrated password manager. Many commercial and open-source options exist including browser-based password management native to popular web browsers. These provide a degree of phishing protection by autofilling or otherwise recognizing only a legitimate domain for which you have previously saved a password. If your password manager doesn’t recognize the website you’re visiting, it might be a phishing site.

To verify that you’re not entering credentials in a phishing site, confirm that the URL in the address bar is https://github.com/login and that the site’s TLS certificate is issued to GitHub, Inc.

If you’ve received phishing emails related to this phishing campaign, please contact GitHub Support with details about the sender email address and URL of the malicious site to help us respond to this issue.

Known phishing domains

Currently, we’ve observed the following phishing domains used by the attacker. Most of these are already offline, but the attacker frequently creates new domains and will likely continue to do so:

aws-update[.]net
corp-github[.]com
ensure-https[.]com
git-hub[.]co
git-secure-service[.]in
githb[.]co
glt-app[.]net
glt-hub[.]com
glthub[.]co
glthub[.]info
glthub[.]net
glthubb[.]info
glthube[.]app
glthubs[.]com
glthubs[.]info
glthubs[.]net
glthubse[.]info
slack-app[.]net
ssl-connection[.]net
sso-github[.]com
sts-github[.]com
tsl-github[.]com
data-github[.]com
gilthub[.]com
gïthub[.]com
githube[.]app
githubs[.]info
gltgub[.]net
glthhubs[.]net
gthub[.]co
xn--gthub-cta[.]com

Tags:

features

More on features

Responsible AI pair programming with GitHub Copilot

GitHub Copilot boosts developer productivity, but using it responsibly still requires good developer and DevSecOps practices.

Colin Dembovsky

Unboxing fork improvements

We’re always trying to improve the GitHub developer experience in meaningful ways, and we love learning from our customers. In the last several months we released several new fork capabilities, and we’re publishing revised fork documentation that gives more details with clearer explanations to make fork concepts easier to understand.

Jamie Strusz

Math support in Markdown

Mathematical expressions are key to information sharing amongst engineers, scientists, data scientists, and mathematicians. Today we are pleased to announce that math expressions can be rendered in Markdown on GitHub using $$ as a delimiter for code blocks with math content or the $ delimiter for inline math expressions.

Martin Woodward & Tali Herzka

Sawfish phishing campaign targets GitHub users