Tricked and targeted by a Sawfish phishing campaign, GitHub users are conned to steal their GitHub login credentials and time-based one-time password or TOTP codes.

GitHub SIRT mentioned in a blog that the attack addressed as sawfish makes an entry through a GitHub message and controls the target’s account. A handy link is also made available to rectify the situation and is included where the alterations can be viewed.

This link happens to redirect the user to the phishing website that replicates the GitHub login page. This is where the target’s credentials are gained. And the ones that use the two-factor authentication process, the malicious site potentially takes and sends authentication codes in real-time to the hacker and allows instant access to the GitHub account.

GitHub SIRT mentioned that, in a few cases, the access is misused to grab and download repositories’ contents.

But the good news is accounts protected by hardware security keys are not susceptible to this phishing attack.

For more clarity, GitHub has also listed six Time-Triggered Protocol or TTPs being exploited by cybercriminals behind the campaign:

  • Threat actors source legitimate domains with the help of compromised email servers or stolen API credentials for legitimate bulk email providers.
  • The campaign targets are active GitHub users across several companies in the tech space and multiple countries with the help of email addresses used for public commits.
  • They make use of shortened URLs to hide the true destination of the fraudulent link
  • The campaign also looks authentic with the use of PHP-based redirectors on compromised websites to make it appear less suspicious.
  • Once the threat actor successfully claims GitHub user details, they might create GitHub personal access tokens or authorize the OAuth application without any delay to assure access even if the user changes the credentials.
  • In the majority of cases, the hacker downloads private repository contents accessible to the victim without any delay.

The company is administering and actively searching for such phishing sites. It also recommends users to switch from TOTP two-factor authentication to a hardware key or WebAuthn two-factor authentication.