Over the last few days, Perception Point’s system has detected an increasing number of incidents that are attempting to steal GitHub user credentials. In this specific attack below, it appears that the attacker acquired a new domain that looks like GitHub: https[:]//glthubs.net.
We strongly advise security experts to blacklist this domain as it is currently still active.
The attack is well crafted in three phases (screenshots can be seen below):
- Phase 1:
The attack begins with an email that looks like the usual email GitHub sends out.
- Phase 2:
The link in the email leads to a phishing website that looks like the GitHub login page.
- Phase 3:
Once credentials are inserted; the attacker attempts to steal even more credentials as it leads to a 2-factor authentication page of GitHub.