Crooks abuse GitHub platform to host phishing kits

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites.

Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. Experts discovered that cybercriminals are abusing the GitHub service since at least mid-2017.

The phishing websites were hosted on the canonical $github_username.github.io domain. Attackers are using stolen brand graphics to make their pages resemble the brand they were abusing.

“Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical $github_username.github.io domain.” reads the post published by Proofpoint. “threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing.”

The inspection of the lookalike GitHub account used by crooks revealed
the files in the phishing kit are viewable as follows, experts noticed that the HTML code is lightly encoded in order to obfuscate the content.

The code sends credentials provided by the users in an HTTP POST request to another compromised site under the control of the attackers.

The phishing kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services.

Experts observed that cybercriminals in some cases used the github.io domain as a traffic redirector with the intent to ensure that the actual phishing page remains live for a bit longer.

The drawback in using public GitHub accounts it that security researchers have major visibility into the threat actors’ activity and on the changes to their phishing pages.

Proofpoint identified a particular user, “greecpaid,” who manages several phishing kits hosted on GitHub repositories.

Proofpoint reported its findings to GitHub that took down the accounts hosting phishing kits.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – GitHub, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.