GitHub users are becoming targets of phishing and extortion activities. These attacks exploit the platform’s notification system and malicious OAuth applications to scam victims, with ransom amounts ranging from $1,000 to $250,000. According to discussions initiated in the GitHub community in February this year, these activities have been ongoing for nearly four months.
GitHub Phishing Activities Extort Victims with Ransoms Up to $250,000
“Threat actors deceiving legitimate companies to gain content access is not new, but their extreme measures to obtain access are less common,” said Max Gannon, Manager of the Cofense Threat Intelligence Team, in an email to SC Media. “What’s more unusual is that, after gaining access, these actors seem to use the accounts solely for extortion rather than conducting more sophisticated actions like uploading malware to repos to infect more people.”
Fernández provided further evidence related to Gitloker and other extortion scams in a post. This includes an April telegram threatening to leak allegedly confidential information found in a GitHub repo if $250,000 wasn’t paid, and another telegram from early February demanding $1,000 within 24 hours to prevent data exposure from an unspecified source.
GitHub Phishing Activities Exploit Comment Notifications for Access
CronUp security researcher Germán Fernández revealed new tactics of this scam on social media last week.
When a target user’s username is mentioned (i.e., tagged) in comments, they get pulled into the scam, triggering an email sent from notifications@github.com (a legitimate GitHub email address).
The comments left by attackers are designed to appear as though they come from GitHub staff. Unaware users receiving these notification emails might not realize they are reading comment content, not direct emails from GitHub.
Screenshots from GitHub community discussions show that the only indication of the email originating from a mentioned comment is a subject line starting with “Re: “ and a line at the bottom reading, “You received this email because you were mentioned.”
These phishing comments claim to be from GitHub staff, offering a job or warning of a supposed security vulnerability. They include a link to a site with a domain similar to GitHub, such as githubcareers[.]online and githubtalentcommunity[.]online, prompting the target to grant OAuth permissions to an external application.
If granted, the attackers will clear the user’s repos and replace the content with a README file instructing the user to contact a Telegram user named “gitloker” to recover their data. Gitloker attackers also exploit compromised accounts to post additional comments, triggering more phishing emails and risking account deletion if other users report the scam.
Protecting GitHub Accounts from Gitloker and Similar Scams
GitHub has been aware of Gitloker’s phishing and extortion activities since at least February. A staff member mentioned in a community discussion that, “Our team is currently working on addressing these proactive phishing notifications.” Recommendations include:
• Using GitHub’s abuse reporting tool to report spam.
• Avoiding clicking on suspicious links or replying to suspicious emails and being cautious about authorizing OAuth applications as they expose GitHub data to third parties.
• Regularly reviewing authorized OAuth applications connected to the user’s account.
• Revoking access for any unused or suspicious OAuth applications.
• Verifying the legitimacy of applications connected to repos to prevent phishing.
• Implementing a backup strategy for GitHub to ensure quick recovery in case of server crashes, minimizing business impact.
Additionally, the staff noted that GitHub does not use public notifications for recruitment and that this phishing activity is not the result of a direct attack on GitHub itself.
A GitHub spokesperson also told SC Media that if users believe their accounts might have been compromised, they should review their GitHub activity sessions and personal access tokens, change their GitHub password, and reset their two-factor recovery codes.
The spokesperson stated, “GitHub investigates all reports of abuse or suspicious activity on the platform and takes action when content or activities violate our Acceptable Use Policy.”
However, GitHub did not respond to questions about whether any modifications had been made to its notification system in response to the activity or the extent of the activity’s prevalence across the site as of June.