GitHub developers are the target of new phishing tool GoIssue’s bulk email campaigns

0
27
GitHub developers are the target of new phishing tool GoIssue's bulk email campaigns
GitHub developers are the target of new phishing tool GoIssue's bulk email campaigns

Researchers studying cybersecurity are drawing attention to GoIssue, a new, advanced technology that may be used to mass send phishing messages to GitHub users.

Initially promoted on the Runion forum earlier this August by a threat actor going by the handle cyberdluffy (also known as Cyber D’ Luffy), the program is described as a tool that enables criminal actors to retrieve email addresses from public GitHub profiles and send mass emails straight to user inboxes.

“Whether you’re aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need,” the threat actor claimed in their post. “GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient.”

According to SlashNext, the program represents a “dangerous shift in targeted phishing” that may serve as a conduit for supply chain intrusions, source code theft, and corporate network breaches using compromised developer credentials.

“Armed with this information, attackers can launch customized mass email campaigns designed to bypass spam filters and target specific developer communities,” the company said.

GoIssue can be purchased with a bespoke build at $700. As an alternative, buyers can pay $3,000 to have full access to its source code. By October 11, 2024, the custom build and the complete source code are now only $150 and $1,000, respectively, for “the first 5 customers.”

In a fictitious attack scenario, a threat actor might use this technique to send victims to fake websites that seek to obtain their login information, download malicious software, or provide permission to a rogue OAuth application that asks access to their personal information.

A noteworthy aspect of cyberdluffy is their Telegram profile, where they identify themselves as a “member of Gitloker Team.” Gitloker was previously linked to an extortion campaign targeting GitHub that entailed posing as the security and hiring departments of GitHub in order to fool users into clicking on a booby-trapped link.

The links are included in emails that GitHub automatically sends out when developer accounts are mentioned in spam comments on arbitrary open problems or pull requests made with accounts that have already been compromised. To apply for new jobs, they are directed by the bogus pages to log into their GitHub accounts and approve a new OAuth application.

If the careless developer gives the rogue OAuth app all the access it needs, the threat actors will remove everything from the repository and replace it with a ransom note requesting that the victim get in touch with a persona called Gitloker on Telegram.

“GoIssue’s ability to send these targeted emails in bulk allows attackers to scale up their campaigns, impacting thousands of developers at once,” SlashNext said. “This increases the risk of successful breaches, data theft, and compromised projects.”

The change coincides with Perception Point’s description of a novel two-step phishing assault that uses SharePoint and Microsoft Visio (.vdsx) files to steal login credentials. In order to get over authentication checks, the emails are sent from previously compromised email accounts and pose as business proposals.

“Clicking the provided URL in the email body or within the attached .eml file leads the victim to a Microsoft SharePoint page hosting a Visio (.vsdx) file,” the company said. “The SharePoint account used to upload and host the .vdsx files is often compromised as well.”

The Visio file contains an additional clickable link that, when clicked, takes the user to a phony Microsoft 365 login page where their credentials are eventually harvested.

“Two-step phishing attacks leveraging trusted platforms and file formats like SharePoint and Visio are becoming increasingly common,” Perception Point added. “These multi-layered evasion tactics exploit user trust in familiar tools while evading detection by standard email security platforms.”

Also readViksit Workforce for a Viksit Bharat

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.