Phishing campaign targeting Github

Earlier this week, on 21st September, GitHub published a blog post – Security alert: new phishing campaign targets GitHub users

The gist of it was,

On September 16, GitHub Security learned that threat actors were targeting GitHub users with a phishing campaign by impersonating CircleCI to harvest user credentials and two-factor codes. While GitHub itself was not affected, the campaign has impacted many victim organizations.

Security alert: new phishing campaign targets GitHub users

In the blog post, GitHub outlined a list of phishing domains that were used in the campaign,

Image of a screen displaying the Github website
  • circle-ci[.]com
  • emails-circleci[.]com
  • circle-cl[.]com
  • email-circleci[.]com

Earlier today, 24th September 2022, security researchers at Shreshta IT using our threat intelligence platform SDINET, have been able to detect and identify another phishing domain – links-circleci[.]com which is part of the phishing campaign targeting Github users.

Threat Indicator

  • Domain Name – links-circleci[.]com
  • Date created – 2022-09-12
  • Registrar – NICENIC INTERNATIONAL GROUP CO., LIMITED

At the time of writing this, except for circle-ci[.]com, all the other domains were either sink holed or null routed.

  • circle-ci[.]com is still resolving to 176.113.115.140
  • 176.113.115.140 is an IP address under AS57678 (REDBYTES-AS, RU)

We have reached out to GitHub Security team and shared the domain name links-circleci[.]com

Website | + posts