GitHub users should be extra alert when opening activity notification e-mails. But hey, at least they can have unlimited amounts of people working on private repos now.
Repository management service GitHub has taken to the company blog to inform users about ongoing phishing attacks, pointing out protective measures along the way. With peoples attentiveness put to the test as is (hey WFH-ers!), there currently seem to be a lot of phishing messages floating into GitHub users’ inboxes.
While the exact messages vary, most claim repository or setting changes in a user’s account that need checking.
Once the embedded link is clicked, devs are taken to a page copying the look and feel of the GitHub login page, which relays any entered information to the attacker. This doesn’t exclude users with time-based one-time password two-factor authentication enabled.
However, hardware security key protected accounts seem to be safe at this stage, which is why adopting one of these or at least WebAuthn two-factor authentication is listed amongst the protective security measures GitHub wants users to consider. They also include a close look at the address bar, since verifying that you’re on the right site is among the most useful things in such a scenario.
Currently known phishing domains include glthb.com, sts-github.com, tsl-github.com, corp-github.com and glt-hub.com, but also some maybe more obvious ones such as slack-app.net, aws-update.net, and ensure-https.com. URL shortening services and redirects are often used to add another layer of trickery, helping raiders to access credentials and find their way into confidential repositories.
Those who believe they might have stepped into that trap already, are called to immediately reset their passwords and two-factor recovery codes. A review of access tokens also can’t hurt, since attackers tend to quickly create new tokens for themselves to guarantee prolonged access.
Email details for the attacks seem to have been sourced via public commits, so maybe taking a look at the associated settings and making some adjustments would be another good idea.
While devs had to do their bit to learn about these activities, other news made it straight to their inbox. Users received a note saying they can now have unlimited collaborators in private repositories as part of the free plan. There’s now also a free option for teams which allows private development without a paid subscription. Along with that goes a drop in the price of the paid team plan which is now $4 per user/month instead of $9.
Whether the pressure of competing offerings such as GitLab.com or the fear of COVID-19-caused subscription drops played into the change in plans wasn’t part of the message. In a blog post on the topic, GitHub CEO Nat Friedman mentioned better access as the main motivator, stating that “every developer on earth should have access to GitHub” and “Price shouldn’t be a barrier.” Exciting times indeed.