A new type of phishing attack has spread among developers — attackers pretend to be recruiters and the GitHub security team and ask to follow a link.
How states Bleeping Computer, dozens of similar cases have been reported since February.
Developers received fake job offers or security alerts. In the latter case, the emails came from “notifications@github.com”.
They asked users to log in to their GitHub accounts to authorize through the OAuth application, which requests access to private repositories, personal data, and the ability to delete any repository.
Many GitHub users who have fallen victim to these attacks have reported having their accounts disabled and losing access to all repositories.
After gaining access to the repositories, the attackers delete everything, rename the repository, add a README.me file, and ask to contact them via Telegram.
They also claim to have stolen the data before destroying it and to have created a backup that could help restore it.
The phishing emails redirect potential victims to githubcareers[.]online or githubtalentcommunity[.]online, as first spotted by CronUp security researcher German Fernandez.
«We would like to remind our users to continue to use our abuse reporting tools to report any offensive or suspicious activity. This is a phishing campaign and not the result of a compromise of GitHub or its systems», —said is one of the managers of the GitHub community.
GitHub employees also advised users to take appropriate security measures: