This edition is dedicated to a campaign abusing a well-known service, GitHub, in an unprecedented way.
Using Facebook ads for phishing is not a novelty, but what’s interesting in this specific case, is the fact that the phishing pages are hosted on… GitHub! We are used to seeing this service exploited to deliver malware, but apparently there is no limit to the creativity of cyber criminals. GitHub can be used to create static pages, and the bad guys have found a way to abuse this feature.
This massive campaign targeted more than 615,000 users in multiple countries including Egypt, the Philippines, Pakistan, and Nepal. The campaign used localized Facebook posts and pages spoofing legitimate entities and targeted ads for specific countries. The links inside the posts redirected the victims to static Github pages containing a login panel for Facebook. The static GitHub phishing pages eventually forwarded the phished credentials to a couple of domains under the control of the criminals.
The researchers discovered almost 500 malicious GitHub repositories delivering the phishing pages, and obviously you can imagine what can be done when the credentials of 615,000 users are stolen: identity theft and password-spray attacks to access corporate resources, are just few examples.
GitHub belongs to the “Development Tools” and “Technology” categories, so we can create a simple DLP policy that prevents the submission of corporate credentials for these categories. A similar policy might seem too restrictive, so we can create a custom app (using the Universal Connector) mapped to the domain “github.io”, which is used to host the static pages, and apply the DLP policy to this custom application only.
Another day, another cloud-native threat that can be mitigated by our platform.