Active GithHub Phishing campaign impersonating GitHub Recruitment

There is an ongoing phishing campaign that delivered through Github comment and issue infrastructure. If you are receiving messages from <notifications@github.com>, be very careful.

Phishing mechanism

The attack takes the form of a message claiming to be from GitHub Recruitment and promising employment and high salary, and provides a link to "the forms and complete the process". An example of the message is listed at the end of this advisory.

1. The attackers trigger sending of the phishing by inserting the phishing message content as comment in an issue of a random public repo and by adding tags of GitHub usernames in the message.
2. The GitHub notification mechanism detects a comment with tagged users and sends them an email from a valid email address <notifications@github.com>
3. Upon clicking on the link the user is taken to a page that is functioning as a Third Party GitHub app, which requests that the user grant it OAuth permissions to multiple scopes, which allow the third party app to in essence do most of the things the user can do. The scopes are listed at the end of this advisory.
4. If the user approves the scopes, the third party application proceeds to do the following while impersonating the victim account
   1. Spread itself further by making the same phishing comments on other repos and issues, tagging more users
   2. Promote cryptocurrency scams and airdrops
   3. Pull content from private repos (which we all know very probably include secrets in code)

Attack Impact

If a person falls for this attack, the impact to them and their team are as follows

• Lose all access - GitHub has started agressively blocking users who have been impersonated, so you lose all access to github.
• Code leak and secrets abuse - this is not confirmed but the secrets in code are pure gold for someone to copy and then sell or abuse. Just the cleanup and rotation of secrets is a huge pain.
• Theft of intellectual property - this is not confirmed but in a lot of repositories the code is IP, and it may even contain data models and raw source data.
• Reputation - The users noticing the phishing will report the comment and the impersonated user will be flagged as scammer.

What to do?

• As in all phishing, if it's too good to be true, it's not true.
• If you have clicked and granted access - REPORT TO YOUR TEAM IMMEDIATELY. They will have a lot of cleanup to do.
• Be very suspicious about third party apps asking for OAuth permissions to your account if you are not clear what it does and you trust the app publisher.
• Clean up the secrets in your code. Because someone will be phished.

Scopes requested by the malicious third party app

• delete_repo,
• gist,
• read:org,
• repo,
• user,
• write:discussion

Phishing message

Hello,

We have an exciting opportunity for you! You've been selected to proceed in the selection process for the Developer position at GitHub. Congratulations on your achievement!

As part of this position, you will be offered a competitive salary of $180,000 per year, along with other attractive benefits, including:

• Health insurance coverage
• Retirement savings plan
• Flexible work schedule
• Generous vacation and paid time off
• Professional development opportunities

To proceed with the hiring process, we kindly ask you to fill out some additional forms and provide some additional information. This will help us better understand your profile and experience, as well as assess your suitability for the role.

Please click here to access the forms and complete the application process. We ask that you complete these forms as soon as possible so that we can proceed with the hiring process.

Important: You have 24 hours to complete the application process.

If you have any questions or need further information, please don't hesitate to contact us.

Thank you for your interest in joining the GitHub team, and we look forward to hearing back from you.

Best regards,