Microsoft owned code hosting platform “GitHub” is being targeted in an ongoing Sawfish phishing campaign that is specifically designed to steal user credentials of the GitHub customers using a phishing site.

According to GitHub, the ongoing Sawfish phishing campaign displays a message to the GitHub users saying that “the repository or setting in a GitHub user’s account has changed or that unauthorized activity has been detected.”

“The message goes on to invite users to click on a malicious link to review the change. Specific details may vary since there are many different lure messages in use”, says GitHub.

Image: Typical example of a phishing email sent in Sawfish phishing campaign (GitHub)

As shown in an image above, if a user clicks on the malicious link, it redirects to a fake landing page that is mimicking the original login page of GitHub and steals user credentials.

Using this fake landing page, the hacker can also bypass the GitHub user accounts that are protected by the TOTP-based Two-factor authentication.

Whereas, accounts protected by hardware security keys are not vulnerable to this attack.

The Sawfish phishing campaign is leveraging phishing emails that are sourced from the legitimate domains, using compromised email servers or stolen API credentials for legitimate bulk email providers.

Companies specifically in the tech sector are being targeted by this campaign.

“If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password.”, says GitHub’s security incident response team (SIRT).

To protect against Sawfish attack, GitHub recommends its users to follow these instructions:

“In order to prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn two-factor authentication. Also, consider using a browser-integrated password manager.”, Github SIRT further suggests.

GitHub also provided a list of phishing domains used for phishing by cybercriminals: