GitHub users are being targeted by a Sawfish phishing campaign designed to steal their GitHub login credentials and time-based one-time password (TOTP) codes.
The attack, referred to as Sawfish by GitHub SIRT, comes through a Github message that claims the target’s account has experienced unauthorized activity of some type, GitHub SIRT wrote in a blog. A handy link to rectify the situation is included where the alterations can be viewed.
The link, in fact, turns out to be a redirect to a phishing website that mimics the GitHub login page. Here the victim’s credentials are harvested. For those using TOTP two-factor authentication the malicious site takes and sends the codes in real time to the attacker allowing the GitHub account to be instantly accessed.
In some cases this access is used to grab and download repositories contents, GitHub SIRT said.
Accounts protected by hardware security keys are not vulnerable to this attack.
GitHub SIRT listed six TTPs being used by the threat actors behind the campaign.
The phishing email is sourced from legitimate domains, using compromised email serv ..
Support the originator by clicking the read the rest link below.
