CircleCI is impersonating cybercriminals in various ways, according to both companies.
Criminals are currently sending a phishing email, which they claim to impersonate CircleCI, the continuous integration and delivery platform.
The message is being sent to GitHub users and warns them that CircleCI''s user terms and privacy guidelines have changed, and that they must sign into their GitHub accounts to accept the new terms.
The recipients may click on a link at the bottom of the emails to accept the changes. Those who do risk having their GitHub account credentials as well as two-factor (2FA) authentication codes stolen, as the attackers relay this information via reverse proxy. According to BleepingComputer, users with hardware security keys are not vulnerable.
Despite GitHub''s lack of impact, the campaign has impacted many vulnerable organizations, according to GitHub''s warning.
Multiple attack domains
CircleCI has issued a statement on its forums, warning users of the ongoing attack, and reaffirming that the company will never ask users to enter any credentials to view ToS changes.
The company stressed that any emails from CircleCI should include links to circleci.com or its sub-domains.
Multiple domains that distribute the phishing email have been confirmed so far:
The attackers are after a GitHub developer account (opens in a new tab) and if they do get into one, the next thing theyllll do is create personal access tokens (PATs), authorize OAuth applications, and even add SSH keys to the account, to ensure they retain the access even after the owners change the password.
GitHub has added that it will collect data from private repositories. The company has since blocked a number of accounts, which has been confirmed to be compromised. All potential users have had their account passwords reset.
- These are the best firewalls (opens in new tab) around