New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

Avatar
Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D’ Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub

Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users.

The program, first marketed by a threat actor named cyberdluffy (aka Cyber D’ Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub profiles and send bulk emails directly to user inboxes.

“Whether you’re aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need,” the threat actor claimed in their post. “GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient.”

SlashNext said the tool marks a “dangerous shift in targeted phishing” that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials.

“Armed with this information, attackers can launch customized mass email campaigns designed to bypass spam filters and target specific developer communities,” the company said.

A custom build of GoIssue is available for $700. Alternatively, purchasers can gain complete access to its source code for $3,000. As of October 11, 2024, the prices have been slashed to $150 and $1,000 for the custom build and the full source code for “the first 5 customers.”

In a hypothetical attack scenario, a threat actor could use this method to redirect victims to bogus pages that aim to capture their login credentials, download malware, or authorize a rogue OAuth app that requests for access to their private repositories and data.

Another facet of cyberdluffy that bears notice is their Telegram profile, where they claim to be a “member of Gitloker Team.” Gitloker was previously attributed to a GitHub-focused extortion campaign that involved tricking users into clicking on a booby-trapped link by impersonating GitHub’s security and recruitment teams.

The links are sent within email messages that are triggered automatically by GitHub after the developer accounts are tagged in spam comments on random open issues or pull requests using already compromised accounts. The fraudulent pages instruct them to sign in to their GitHub accounts and authorize a new OAuth application to apply for new jobs.

Should the inattentive developer grant all the requested permissions to the malicious OAuth app, the threat actors proceed to purge all the repository contents and replace them with a ransom note that urges the victim to contact a persona named Gitloker on Telegram.

“GoIssue’s ability to send these targeted emails in bulk allows attackers to scale up their campaigns, impacting thousands of developers at once,” SlashNext said. “This increases the risk of successful breaches, data theft, and compromised projects.”

The development comes as Perception Point outlined a new two-step phishing attack that employs Microsoft Visio (.vdsx) files and SharePoint to siphon credentials. The email messages masquerade as a business proposal and are sent from previously breached email accounts to bypass authentication checks.

“Clicking the provided URL in the email body or within the attached .eml file leads the victim to a Microsoft SharePoint page hosting a Visio (.vsdx) file,” the company said. “The SharePoint account used to upload and host the .vdsx files is often compromised as well.”

Present within the Visio file is another clickable link that ultimately leads the victim to a fake Microsoft 365 login page with the ultimate goal of harvesting their credentials.

“Two-step phishing attacks leveraging trusted platforms and file formats like SharePoint and Visio are becoming increasingly common,” Perception Point added. “These multi-layered evasion tactics exploit user trust in familiar tools while evading detection by standard email security platforms.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

5 Ways Behavioral Analytics is Revolutionizing Incident Response

Next Post

New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration

Related Posts

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region. "The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities
Avatar
Read More

Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns

Palo Alto Networks on Friday issued an informational advisory urging customers to ensure that access to the PAN-OS management interface is secured because of a potential remote code execution vulnerability. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface," the company said. "At this time, we do not know the specifics of the
Avatar
Read More