Cybercriminals are posing as (opens in a new tab) CircleCI to try to steal GitHub accounts, the two companies confirmed.
According to the two companies, the criminals are currently distributing a phishing email, in which they impersonate the continuous integration and delivery platform, CircleCI.
The email is sent to GitHub users notifying them that CircleCI's Terms of Service and Privacy Policy have changed and that they must sign in to their GitHub accounts to accept the new terms.
GitHub Disclaimer
As expected, there is a link at the bottom of the email that recipients can click to "accept" the changes. Those who do this risk having their GitHub account credentials stolen, as well as two-factor authentication (2FA) codes, as attackers transmit this information through reverse proxies. According to BleepingComputer, users with hardware security keys are not vulnerable.
“While GitHub itself was not affected, the campaign did impact many victim organizations,” GitHub said in its disclaimer.
Multiple attack areas
CircleCI also posted an announcement on its forums, warning users about the ongoing attack and reiterating that the company will never ask users to enter their credentials to view ToS changes.
"All emails from CircleCI should only include links to circleci.com or its subdomains," the company emphasized.
So far, several domains have been confirmed to distribute the phishing email:
- herewith circle
- emails-circlecicom
- circle-clefwith
- email-circlecicom
Attackers look for GitHub developer accounts (opens in a new tab), and if they manage to gain access to one, the next thing they'll do is create Personal Access Tokens (PATs), authorize OAuth apps, and even add SSH keys to the account . , to ensure they retain access even after owners change their password.
After that, GitHub added, they will pull data from private repositories. Since then, the company has blocked several accounts, which have been confirmed to be compromised. All potentially affected users have had their account passwords reset.
Via: BleepingComputer (Opens in a new tab)