GoIssue: Sophisticated Phishing Tool Targets GitHub Developer Credentials
Cybersecurity experts are sounding alarms over a sophisticated phishing tool called GoIssue, designed to execute large-scale email phishing campaigns targeting GitHub users. Marketed on the Runion forum by a threat actor named cyberdluffy (aka Cyber D’ Luffy) this August, GoIssue has been promoted as a tool for extracting email addresses from public GitHub profiles and sending bulk messages to users’ inboxes.
Precision Phishing at Scale
GoIssue is advertised as capable of precision-targeted phishing, allowing attackers to tailor email campaigns that evade spam filters while reaching developers with high-value GitHub accounts. Cyberdluffy states that the tool’s power lies in its ability to send customized emails directly to GitHub users’ inboxes, facilitating phishing attacks on a large scale.
“Whether you’re aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need,” cyberdluffy claimed in the tool’s announcement. For an initial launch, GoIssue was sold at $700 for a customized build and $3,000 for full source code access, but prices dropped to $150 and $1,000 on October 11, 2024, for the first five customers.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
A New Risk to Developer Communities
Cybersecurity firm SlashNext warns that GoIssue signifies a “dangerous shift in targeted phishing” that can expose users to severe risks, from source code theft to supply chain attacks and corporate network breaches through compromised developer credentials. Equipped with the extracted email data, threat actors can launch mass phishing campaigns against developer communities, bypassing spam filters and targeting specific recipients.
SlashNext notes that a hypothetical attack scenario using GoIssue could lure victims to fake login pages to steal credentials or redirect them to a malicious OAuth application, potentially granting attackers access to private repositories and sensitive data.
Gitloker Team Connection and Extortion Campaigns
Cyberdluffy, whose Telegram profile identifies him as part of the Gitloker Team, may already have a history of GitHub-centric extortion. Previously, Gitloker was tied to an attack in which GitHub users received messages impersonating GitHub security or recruitment teams to trick them into clicking a malicious link. Upon granting permissions to a fraudulent OAuth application, affected users found their repositories purged, replaced by a ransom demand urging contact with Gitloker on Telegram.
Trending: Blue Team Tool: Ghostport
Exploiting GitHub’s Notification System
GoIssue uses GitHub’s automated notification system to scale phishing. Attackers employ compromised GitHub accounts to tag victims in spam comments within random issues or pull requests. These tags trigger legitimate GitHub email notifications, lending credibility to the phishing attempt. The included links lead to counterfeit GitHub pages instructing users to sign in and grant permissions to malicious OAuth apps. Unsuspecting developers who grant permissions unknowingly give attackers access, leading to repository erasure and extortion attempts.
Sophisticated Two-Step Phishing Tactics
Perception Point recently highlighted another two-step phishing attack using Microsoft Visio (.vsdx) files and SharePoint to steal credentials. In these attacks, phishing emails appear as business proposals sent from compromised email accounts to evade security filters. Recipients who open the SharePoint page hosting a Visio file encounter another link leading to a fake Microsoft 365 login page, where attackers harvest credentials.
“These multi-layered evasion tactics exploit user trust in familiar tools like SharePoint and Visio while evading standard email security systems,” Perception Point added. Such attacks illustrate a growing trend of phishing that leverages legitimate platforms to bypass security, leaving users vulnerable.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com