GitHub users targeted by Sawfish phishing campaign
The Microsoft-owned source code collaboration and version control service reported the campaign, which it calls Sawfish, on Tuesday 14 April. Users were reporting emails that tried to lure them into entering their GitHub credentials on fake sites for a week before, it said.
The phishing campaign lures victims to domains that look similar to GitHub’s at first glance but which the company doesn’t own, such as
corp-github.com, the company said. Other domains misspell the ‘i’ in GitHub with an ‘l’, like
glthub.info. The attacker also tried domains that look like those owned by other tech companies, such as
slack-app.net. Most of these domains are already down and the phisher has been swapping them out quickly, GitHub warned.
The phishing emails – which aren’t always well-written – try to raise the recipient’s alarm by suggesting that there’s something fishy going on with their account. One example, received on 4 April, asked a user to review their account activity:
It then took the user to this fake site, with a domain that GitHub says is associated with the Sawfish campaign:
The phishers appear to be targeting people based on the addresses used for public Git commits. These are updates to source code that are publicly viewable. That could explain one Redditor’s report of a phishing email sent to an address used exclusively for GitHub.
Attackers use several techniques to hide the real link destination, including URL shorteners, sometimes strung together to make it even more difficult to see the ultimate destination. They also use redirectors on compromised sites that have a legitimate-looking URL but which then send the victim to another malicious site.