GitHub accounts are being stolen by fake CircleCI accounts

(Image credit: wk1003mike / Shutterstock)

Cybercriminals are impersonating CircleCI to try and steal GitHub accounts, both companies have confirmed. 

According to the two firms, criminals are currently distributing a phishing email, in which they impersonate the continuous integration and delivery platform, CircleCI. 

The email is being sent to GitHub users, and warns them that CircleCI’s user terms and privacy policy have changed, and that they need to sign into their GitHub accounts to accept the new terms.

GitHub warning

As you might expect, there is a link at the email’s bottom that the recipients can click to “accept” the changes. Those that do, risk having their GitHub account credentials, as well as two-factor (2FA) authentication codes stolen, as the attackers relay this information through reverse proxies. According to BleepingComputer, users with hardware security keys are not vulnerable.

“While GitHub itself was not affected, the campaign has impacted many victim organizations,” GitHub said in its warning.

Multiple attack domains

CircleCI has also published an announcement on its forums, warning users of the ongoing attack, and reiterating that the company will never ask users to enter any credentials to view ToS changes.

“Any emails from CircleCI should only include links to or its sub-domains,” the company stressed.

So far, multiple domains distributing the phishing email have been confirmed: 

  • circle-ci[.]com
  • emails-circleci[.]com
  • circle-cl[.]com
  • email-circleci[.]com

The attackers are after GitHub developer accounts, and if they manage to get into one, the next thing they’ll do is create personal access tokens (PATs), authorize OAuth apps, and even add SSH keys to the account, to make sure they retain the access even after the owners change the password.

After that, GitHub added, they’ll take data from private repositories. The company has since blocked a number of accounts, confirmed to have been compromised. All potentially impacted users have had their account passwords reset. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.