Hackers abuse popular code repositories service such as GitHub to host a variety of phishing domains to make their targets to believe it is through github.io domains.
By using well-known services like Dropbox, Google Drive, Paypal, eBay, and Facebook, attackers able to bypass whitelists and network defenses.
Proofpoint identified a range of malicious activities that target users from various organizations. Here is the Example of a phishing kit hosted on GitHub service that lures the login credentials of a retail bank.
Threat actors use github.io based landing pages to make the victims believe it is from the trusted source and to bypass traditional security solutions. The Phishing page uses the stolen brand logo and the graphics.
“In most cases of GitHub abuse described here, threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing”, reads Proofpoint blog post.
app-l0gin- [.] github [.] io
Source code analysis reveals that the HTML script is slightly obfuscated and the lured credentials are sent to another compromised server that owned by attackers. Attackers use public GitHub landing page with PHP script loaded from remote servers.
Some threat actors use github.io domain only as a traffic redirector, “we were able to observe when actors made changes to their hosted web pages and most kits are not written from scratch and are instead simply modified by different actors.”
Proofpoint reported the abuse to GitHub and all the phishing accounts has been taken down by GitHub.