Threat Watch

GitHub Service Being Used to Host Phishing Sites

Numerous phishing websites are being hosted on github.io domains by attackers who are taking advantage of free code repositories within the GitHub service. Although many of the domains are used to carry out phishing campaigns, others are being used as traffic redirectors which allow for the phishing sites to stay online for a longer amount of time. One specific phishing email campaign involving a retail bank brand was sending potential victims to a page hosted by the GitHub service. That page displays a login form which would pull the username and password from the user that entered it. Information that is collected is then transferred to other compromised servers being used by the attackers. Regularly hosted PHP methods are not used because the github.io platform does not come with PHP back end services. Since free GitHub accounts were used, the repository activity was easily viewable. Researchers were able to view the action on the accounts and discovered that the kits were designed to adapt to their specific purpose.

ANALYST NOTES

GitHub claims to have removed the accounts involved in the campaigns as of April 19th, 2019, however, attackers may continue to abuse free accounts. As for any phishing campaigns, users should never follow links from untrusted sources. If these