GitHub Notification Emails Hijacked to Send Malware

Do people really fall for scam like that?

First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:

Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.

GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

I got a much more convincing email from PayPal recently, someone sent a quote (apparently a feature that can be used unsolicited), and set their company name to something like "PayPal need to get in touch about a your recent payment of $499.00, please call +1-....", so this is most of the text at the top because their quotes email is "<name> is sending you a quote for $xxx".

This email came from the real PayPal.com, how they haven't gotten on top of usernames like that is beyond me for a payment processor. I reported it to them but haven't heard anything back, hopefully they banned that account but they should ban all names like that.

This email honestly was formatted to look like a legit PayPal email, I have to imagine that scam will trick a lot of normal people.

Get in touch, see my bio website, if you want the email.

      Press Win+R, CTRL+V <enter>

From captcha to gotcha.

I could see junior developers falling for this. Hey it's Github, it's legit right? We get security notifications every second months about some lib everyone uses etc.

      "Oh look, captcha by running code, how neat!"

I don't think webpages should be able to fill your copy/paste buffer from a click without a content preview. They made it requiring a user action, such as clicking, thinking that would solve the problem but it's still too weak. That's problem number 1.

People need to stop actioning any links from emails and/or believing that any content in an email has legitimacy. It doesn't. That's problem number 2.

Problem number 3, Windows still let you root a machine by 1 line in powershell? What the @$$%&%&#$?

Github might need to stop people putting links in issues without being checked by automated services that can validate the content as remotely legitimate. They're sending this stuff to people's email, don't tell me they're not aware this could be used for fishing! That's cyber security 101, in 2015.

Finally, Github, in being unable to act on the above, may need to better strip what they email to people, and essentially behave more like banks "you have a new issue in this repository..." and that's that. You then go there, there is no message, ok great. That would have taken care of this issue...

It seems Github needs to graduate a bit here.

Can be summarized with: Don't click on links in email.

So is github-scanner.com (and github-scanner.shop) still the same malicious party? It seems to be. Funny that their DNS is hosted by Cloudflare (who, famously, don't host anything, because they think we're all dumb). Cloudflare, who take responsibility for nothing, has no way to report this kind of abuse to them.

The domain which hosts the malware, 2x.si, both uses Cloudflare for DNS and is hosted by Cloudflare. At least it's possible to report this to Cloudflare, even though they rate limit humans and have CAPTCHAs on their abuse reporting forms.

Sigh. Thanks to Cloudflare, it's trivial these days to host phishing and malware.

> The attacker quickly deletes the issue

I realized I have never deleted an issue I started but doesn't people with admin access the only with ability to delete the issues on a repo? [1]. So actually there is a trace for that issue in the repository. Same thing for Pull requests.

[1] https://docs.github.com/en/issues/tracking-your-work-with-is...

Their claim that nothing tells you the email corresponds to the new issue is wrong, the "(Issue #1)" in the title means exactly that. I have actually received the same email myself and immediately recognized it as a new issue created on the repo. This user is obviously not used to GitHub issues as is made clear by the fact that this is the first issue on this repo. I guess GitHub needs to do a better job teaching new users.

I received one of these notifications this morning and promptly ignored it. I had to laugh because it was about this repo specifically: https://github.com/kyledrake/theftcoinjs

It's worth the read, he shows what they're trying to do.

Easy to be suspicious with the link alone, but its fun to see someone digging into it.

Just this morning I logged a bug on a GitHub repo and within a minute someone responded with something to the effect of:

Try this, I think it will fix your issue (install GCC if you need a compiler): (Bitly link redirecting to zip file on mediafire) Pass: (something)

GitHub processed my abuse report within an hour and removed all posts by that user.

OMG! I was getting similar GitHub notification emails, saying detected vulnerability in your repo, but never figured it out as fake before this news, anyway I never clicked because I'm a lazy programmer :), once it's written it's written I do rewrite the code but don't find bugs and fix in my code. :D

I don't understand whats special about this particular attack!>:( When I read the title I thought some automated GitHub emails were forged to sneakily point to a fake GitHub site or something. An obvious (for tech-savvy users) link pointing to an obvious malware (please copy and execute this code to solve the captcha.) If the people you are targeting fall for this why not send an old fashioned spam email with fake headers or via some hacked Wordpress installation? I guess using GitHub notifications is creative but in the end not much different than like sending a facebook message with a fake link, and the user getting an email notification with the message? The analysis of the malware once downloaded was certainly interesting, though!:)

Seriously how hard it can be for GH to detect that a randomly just created account is creating issues, with the same text, containing a link inside?

I got dozens of such spam during a whole day.

It's quite sad that in 2024 we still have people falling for the simplest tricks.

This is almost as easy as it was to call someone and asking them for the number of the modem on their desk and their logins back in the bad old days.

Considering the target platform I'm not overly surprised though.

I turned off most GitHub emails and mostly use the Notification Centre for discovering things I need to know about. It's not entirely proof against phishing this way, but it doesn't get to use email to appear more legitimate.

An excellent slashvertisement for Virus Total. Wrapped in an important cautionary tale about how GitHub issues can be manipulated to try to spread malware.

This has happened for a while. In February of this year, the same attack vector was used in an attack to trick developers into thinking that they'd got a job offer from GitHub: https://www.xorlab.com/en/blog/phishing-on-github

It's worth checking every link you get even if it's from a trusted source, like GitHub... and to be able to restore the data, it's worth having a backup

Months ago I got crypto ads through a similar approach, some fake new account @-ing hundreds of users in an issue and then the issue is removed. The net effect is that the ads become unblockable in your email box (It's from GitHub!).

Maybe devs' target value in general has growing to a point where the openness of the system is more of a vulnerability than service.

> In text form (link altered for your safety)

Might want to change the image too, macOS recognises the link in that and makes it clickable. I’d say that’s more dangerous than modifying it in the text of the post, you could just as well include a non-clickable text link.

One one hand, I can see the captcha is easy to fall for. On the other, nothing says "prove you aren't a machine" like "run this code that a machine could easily run."

While we're here: what happened to the GitHub explore newsletter? I really enjoyed this, but I've stopped receiving it for a few months now. And I don't think I unsubscribed.

I've also been seeing Typeform emails coming from spam sources. Somehow people are using Typeform's positive reputation score to send emails to arbitrary emails.

Nice writeup! It reminded me a bit of Julia Evans' blog in terms of content (learning by teaching).

>verification steps >winkey+R >Ctrl+V >enter

Of all things that seem legit, this seems the legitest.

Fun how Microsoft is on both ends of the "exploit"

Not hijacked. Faked.

If your method of infecting your victim is having them paste and run a random command on their terminal, software developers is probably the worst group of people to be targeting.

No org is safe, not even Github..

so many red-flags, i don't know how someone could go beyond and click this link.

These hackers need to work on the rest of their funnel lmao. Getting me to click the link would be easy, but running that script? Never in a million years!

woah

If you're stupid enough to paste something off a random website (that you discovered through a random email link) into the command line (and then execute it), then you deserve what happens next. At some point the end user is to blame.

I also have no clue why any reasonable person would refer to that monstrosity as a CAPTCHA.

This is neither hijacking notifications nor sending malware. This is someone including a link in a message on a ticketing system open to the public, and then someone clicking on the link and downloading malware.