GitHub has notified its users of a phishing campaign active since 16 September.
The bait in the seemingly persuasive phishing campaign is an email that mimics notifications from continuous integration and delivery platform CircleCI.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
Specifically, the fake email coerces recipients to accept updated “user terms and privacy policy” by signing into their GitHub accounts again through CircleCI.
“As part of our integration with GitHub, we are updating our Terms of Use and Privacy Policy to provide greater transparency about how CircleCI uses your information, as well as how cookies are used to make our services more convenient and effective,” the email reads.
By relaying credentials through reverse proxies, the threat actors attempted to steal GitHub account credentials, including two-factor authentication (2FA) codes.
However, GitHub assured accounts protected with hardware security keys for multi-factor authentication (MFA) are not susceptible to the attack.
“While GitHub itself was not affected, the campaign has impacted many victim organizations,” GitHub informed in an advisory on Wednesday.
Corroborating GitHub’s alert, CircleCI took to its forums to warn users that the platform would never ask users to enter credentials to view changes in its terms of service.
“Any emails from CircleCI should only include links to circleci.com or its sub-domains,” stated CircleCI in its notice.
“If you believe you or someone on your team may have accidentally clicked a link in this email, please immediately rotate your credentials for both GitHub and CircleCI, and audit your systems for any unauthorized activity,” added the company.
