Earlier this week, on 21st September, GitHub published a blog post – Security alert: new phishing campaign targets GitHub users
The gist of it was,
On September 16, GitHub Security learned that threat actors were targeting GitHub users with a phishing campaign by impersonating CircleCI to harvest user credentials and two-factor codes. While GitHub itself was not affected, the campaign has impacted many victim organizations.
Security alert: new phishing campaign targets GitHub users
In the blog post, GitHub outlined a list of phishing domains that were used in the campaign,
- circle-ci[.]com
- emails-circleci[.]com
- circle-cl[.]com
- email-circleci[.]com
Earlier today, 24th September 2022, security researchers at Shreshta IT using our threat intelligence platform SDINET, have been able to detect and identify another phishing domain – links-circleci[.]com which is part of the phishing campaign targeting Github users.
Threat Indicator
- Domain Name – links-circleci[.]com
- Date created – 2022-09-12
- Registrar – NICENIC INTERNATIONAL GROUP CO., LIMITED
At the time of writing this, except for circle-ci[.]com, all the other domains were either sink holed or null routed.
- circle-ci[.]com is still resolving to 176.113.115.140
- 176.113.115.140 is an IP address under AS57678 (REDBYTES-AS, RU)
We have reached out to GitHub Security team and shared the domain name links-circleci[.]com
