Cybercriminals are impersonating (opens in a new tab) CircleCI is trying to steal GitHub accounts, both companies confirmed.
According to the two companies, criminals are now sending phishing emails that pretend to be CircleCI’s continuous integration and delivery platform.
An email is sent to GitHub users and warns them that CircleCI’s terms of use and privacy policy have changed and that they must log in to their GitHub accounts to accept the new terms.
GitHub Warning
As expected, there is a link at the bottom of the message that recipients can click to “accept” the changes. Those who do this risk stealing their GitHub account credentials as well as two-factor (2FA) authentication codes as attackers pass this information through reverse proxies. According Hissing computerusers with hardware security keys are not exposed.
“While GitHub itself was not touched, the campaign had an impact on many victim organizations,” GitHub said in a warning.
Multiple attack domains
CircleCI also posted an announcement on its forums, warning users of the attack underway and reiterating that the company will never ask users for any credentials to view ToS changes.
“Any e-mail from CircleCI should only contain links to circleci.com or its subdomains,” the company emphasized.
So far, multiple domains sending phishing emails have been confirmed:
- wheel-th[.]com
- circleci-e-mails[.]com
- circle-cl[.]com
- email-circleci[.]com
Attackers are after the GitHub developer (opens in a new tab) accounts, and if they manage to get into one, the next thing they will do is create Personal Access Tokens (PAT), authorize the OAuth app, or even add SSH keys to the account to make sure they retain access even after the owners change their password .
Then, added GitHub, they will be fetching data from private repositories. The company has since blocked many accounts that have been confirmed to have been compromised. All potentially affected users have had their passwords reset.
By: Hissing computer (opens in a new tab)