KEEPNET LABS > Blog > A New Phishing Threat with Impersonated Pages Targeted Zoom and GitHub Users 

A New Phishing Threat with Impersonated Pages Targeted Zoom and GitHub Users 

GitHub Security faced a significant threat from actors targeting GitHub users through their phishing campaign after impersonating CircleCI. Their campaign aimed to harvest two-factor codes and critical user credentials. Many victim organizations were affected even though the security threat did not directly impact them.

A cybersecurity alert has recently emerged because of the new phishing campaign that targeted GitHub users and impersonated the web download pages of the Zoom application. A report from the GitHub Insider Newsletter stated that on September 16, 2022, GitHub Security faced a significant threat from actors targeting GitHub users through their phishing campaign after impersonating CircleCI. Their phishing campaign aimed to harvest two-factor codes and critical user credentials. A recent report stated that many victim organizations were affected even though the security threat did not directly impact the company.

How were the users targeted? 

Through the company’s official newsletter, it is stated the reported versions that indicated penetration by unauthorized access included messages alerting users that their CircleCI session had expired and was thus required to log in using their official GitHub credentials.

When users clicked on the link provided, they were taken to a phishing site identical to the GitHub login page, which would steal the credentials they keyed in. The process worked similarly to GitHub by issuing two-factor authentication (2FA), which meant sending TOTP codes to users, who would relay it to the threat actor and GitHub simultaneously, allowing the threat actor to break into the accounts protected by the security protocol. All accounts protected by hardware security passwords were not exposed to the threat actor.

GitHub’s Response

On completing the company’s analysis, GitHub removed all the credentials added by the threat actor for affected users and reset passwords. The firm also notified all the affected people and organizations. All the threat actor accounts were suspended as the company continued to monitor for any malicious activity.

As the company continues to stay vigilant and respond to any potential phishing domains as soon as they are discovered, it also provides practical steps for users to take to protect themselves. To be safe, users are encouraged to reset their passwords and two-factor recovery codes, review tokens for personal access, and implement additional measures for account security.

Zoom Impersonated Page by FIN11 Threat Actor

In a different case reported by the CYFIRMA research team, impersonated web pages were discovered recently related to Zoom App. Since Covid-19 hit the global business world, Zoom has been the most downloaded app.

FIN11 is famous for its large-scale campaign accomplished through impersonated web applications. According to the report developed by CYFIRMA, the actor has been using Zoom download pages to install Vidar, an information stealer software that targets large attack surfaces. The team researching the matter also observed that the IP address used had previously been linked to AsyncRAT.

FIN11 planned to utilize Zoom’s global outreach to compromise many systems that use popular web applications. The threat actor was recently connected with CLOP ransomware, a data theft extortion, and post-compromise ransomware deployment.

How the FIN11 Threat Works

FIN11 delivers malicious Zoom applications using phishing links/URLs masquerading as Zoom’s trusted website and app. When unsuspecting victims execute the malicious “Zoom.exe,” it drops the“Decoder.exe” that downloads extra payloads, including the Information Stealer and RAT. It also downloads the legitimate setup for Zoom for installation. The additional loaded software injects MSBuild.exe that downloads DLLs connected to Vidar information stealers.

The recent detection of impersonated domains once again shows clearly that cyber security awareness of the users is so critical regarding defending the networks and users need to take precautions when downloading applications. One can only download apps like Zoom from the company’s official website to be safe.

Use our Phishing Simulator to protect your organization against social engineering attacks. 

Phishing tests are designed to allow employees to detect phishing attacks and their variants and report them appropriately. They are also used to detect weak links and measure the effectiveness of security training programs. The Phishing Simulation module is fully-integrated with our Awareness Educator to automatically place employees who are caught by our phishing simulations onto appropriate e-learning courses to improve their vigilance to genuine phishing attacks. 

Phishing Simulation focuses on problems that many industries have been facing today, and we provide a detailed report of how your system is secured by Keepnet Labs security awareness modules.

Try it for free

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.