Connect with us

Hi, what are you looking for?



Cybercriminals Using GitHub to Host Phishing Kits

Free code repositories on the Microsoft-owned GitHub have been abused since at least mid-2017 to host phishing websites, according to researchers from Proofpoint.

Free code repositories on the Microsoft-owned GitHub have been abused since at least mid-2017 to host phishing websites, according to researchers from Proofpoint.

Cybercriminals have long abused legitimate services to bypass whitelists and network defenses, including cloud storage sites, social networking, and commerce services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook.

In GitHub’s case, the phishers were hosting websites on the canonical $ domain, while using stolen brand graphics to make their pages resemble the brand they were abusing and add a sense of legitimacy to their attacks. 

Lightly encoded to obfuscate its usage, the HTML code used by the phishers was meant to send credentials in a HTTP POST request to another website, the security researchers say.

“Sending stolen credentials to another compromised website appears to be commonplace for all the active phishing kits we have observed on Moreover, it appears that the kits do not use typical hosted PHP methods because the platform does not provide PHP back-end services,” Proofpoint notes. 

In some cases, the domain was used as a traffic redirector, thus ensuring that the actual phishing page remains live for a big longer. 

The use of public GitHub accounts allowed security researchers to gain visibility into when the threat actors made changes to their hosted web pages, including updates to indicators of compromise such as shortened links.

The phishing landing page was modified to use a PHP script hosted on a remote domain and not one local to the kit.

Advertisement. Scroll to continue reading.

The use of GitHub also allowed Proofpoint to identify a particular user, “greecpaid,” who has been making changes to files in these repositories. Although the user’s account appears as inactive on the GitHub service, it has updated multiple phishing kits recently.

The phishing kits hosted on GitHub have been targeting non-English speakers as well, Proofpoint says. 

All of the identified GitHub accounts hosting phishing material have been taken down as of April 19, Proofpoint says, warning that defenders should be aware of potential malicious content on $ canonical domains.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes. 

Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

Related: Phishers Serve Fake Login Pages via Google Translate

Related: Phishers Use Zero-Width Spaces to Bypass Office 365 Protections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights