Free code repositories on the Microsoft-owned GitHub have been abused since at least mid-2017 to host phishing websites, according to researchers from Proofpoint.
Cybercriminals have long abused legitimate services to bypass whitelists and network defenses, including cloud storage sites, social networking, and commerce services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook.
In GitHub’s case, the phishers were hosting websites on the canonical $github_username.github.io domain, while using stolen brand graphics to make their pages resemble the brand they were abusing and add a sense of legitimacy to their attacks.
Lightly encoded to obfuscate its usage, the HTML code used by the phishers was meant to send credentials in a HTTP POST request to another website, the security researchers say.
“Sending stolen credentials to another compromised website appears to be commonplace for all the active phishing kits we have observed on github.io. Moreover, it appears that the kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services,” Proofpoint notes.
In some cases, the github.io domain was used as a traffic redirector, thus ensuring that the actual phishing page remains live for a big longer.
The use of public GitHub accounts allowed security researchers to gain visibility into when the threat actors made changes to their hosted web pages, including updates to indicators of compromise such as shortened links.
The phishing landing page was modified to use a PHP script hosted on a remote domain and not one local to the kit.
The use of GitHub also allowed Proofpoint to identify a particular user, “greecpaid,” who has been making changes to files in these repositories. Although the user’s account appears as inactive on the GitHub service, it has updated multiple phishing kits recently.
The phishing kits hosted on GitHub have been targeting non-English speakers as well, Proofpoint says.
All of the identified GitHub accounts hosting phishing material have been taken down as of April 19, Proofpoint says, warning that defenders should be aware of potential malicious content on $github_username.github.io canonical domains.
“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes.
Related: Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks
Related: Phishers Serve Fake Login Pages via Google Translate
Related: Phishers Use Zero-Width Spaces to Bypass Office 365 Protections