Cyber criminals are emerging (opens in new tab) CircleCI is trying to steal GitHub accounts, both companies have confirmed.
According to the two companies, criminals are currently distributing a phishing email impersonating the CircleCI continuous integration and delivery platform.
As you would expect, there is a link at the bottom of the email that recipients can click to “accept” the changes. Those that do run the risk of having their GitHub account information and two-factor (2FA) authentication codes stolen, as the attackers pass this information through reverse proxies. According to BleepingComputerusers with hardware security keys are not vulnerable.
“While GitHub itself was not affected, the campaign has affected many victim organizations,” GitHub said in its warning.
Multiple attack domains
CircleCI has also released an announcement on its forums, warning users of the ongoing attack and reiterating that the company will never ask users to enter credentials to view ToS changes.
“CircleCI emails may only contain links to circleci.com or its subdomains,” the company stressed.
So far, multiple domains have been confirmed to be spreading the phishing email:
- email circle[.]com
The attackers are after GitHub developer (opens in new tab) accounts, and if they manage to get in, the next thing they’ll do is create personal access tokens (PATs), authorize OAuth apps, and even add SSH keys to the account, to make sure they keep access even after the owners change the password.
After that, GitHub added, they take data from private repositories. The company has since blocked a number of accounts, which have been confirmed to have been compromised. All potentially affected users have reset their account passwords.
Via: BleepingComputer (opens in new tab)