Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Cybercriminals Using GitHub to Host Phishing Kits

Free code repositories on the Microsoft-owned GitHub have been abused since at least mid-2017 to host phishing websites, according to researchers from Proofpoint.

Free code repositories on the Microsoft-owned GitHub have been abused since at least mid-2017 to host phishing websites, according to researchers from Proofpoint.

Cybercriminals have long abused legitimate services to bypass whitelists and network defenses, including cloud storage sites, social networking, and commerce services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook.

In GitHub’s case, the phishers were hosting websites on the canonical $ domain, while using stolen brand graphics to make their pages resemble the brand they were abusing and add a sense of legitimacy to their attacks. 

Lightly encoded to obfuscate its usage, the HTML code used by the phishers was meant to send credentials in a HTTP POST request to another website, the security researchers say.

“Sending stolen credentials to another compromised website appears to be commonplace for all the active phishing kits we have observed on Moreover, it appears that the kits do not use typical hosted PHP methods because the platform does not provide PHP back-end services,” Proofpoint notes. 

In some cases, the domain was used as a traffic redirector, thus ensuring that the actual phishing page remains live for a big longer. 

The use of public GitHub accounts allowed security researchers to gain visibility into when the threat actors made changes to their hosted web pages, including updates to indicators of compromise such as shortened links.

The phishing landing page was modified to use a PHP script hosted on a remote domain and not one local to the kit.

The use of GitHub also allowed Proofpoint to identify a particular user, “greecpaid,” who has been making changes to files in these repositories. Although the user’s account appears as inactive on the GitHub service, it has updated multiple phishing kits recently.

The phishing kits hosted on GitHub have been targeting non-English speakers as well, Proofpoint says. 

All of the identified GitHub accounts hosting phishing material have been taken down as of April 19, Proofpoint says, warning that defenders should be aware of potential malicious content on $ canonical domains.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes. 

Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

Related: Phishers Serve Fake Login Pages via Google Translate

Related: Phishers Use Zero-Width Spaces to Bypass Office 365 Protections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...