New GitLoker-Linked GoIssue Tool Targets GitHub Users for Phishing


SlashNext researchers have discovered a new, sophisticated phishing tool GoIssue targeting GitHub developers. Learn about its capabilities, the impact in case of successful attacks, and how to protect yourself from this growing threat.

Cybersecurity researchers at SlashNext have identified a new threat called GoIssue. This advanced tool, possibly linked to the GitLoker extortion campaign, enables attackers to carry out large-scale phishing attacks aimed at GitHub users.

According to SlashNext’s investigation, shared with Hackread.com ahead of publishing on Tuesday, GoIssue can also harvest email addresses from public GitHub profiles.

“At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and GitHub tokens to collect data based on various criteria – from organization memberships to stargazer lists,” the blog post read.

GoIssue is priced at $700 for a custom build or $3,000 for full source code access. The attackers can use it to execute complex, targeted campaigns against the GitHub developer community. They can harvest email addresses from public profiles and use them in mass phishing campaigns using fake notifications.

GoIssue ad – Screenshot: SlashNext

This means the impact of GoIssue-powered attacks could be broad. These campaigns could lead to a phishing page, malware download, or a rogue OAuth app authorization prompt, granting access to private repositories and data.

Not only can individual developers be compromised, but entire organizations can be at risk. Successful attacks could lead to source code theft, supply chain attacks, and corporate network breaches.

According to SlashNext’s report, Cyberluffy, a member of the GitLoker Team, has been linked to the GoIssue tool, which is believed to be an extension of the GitLoker campaign. The connection between GoIssue and the GitLoker campaign is a cause for serious concern. Both tools share a common target and employ similar tactics, suggesting a potential collaboration or evolution of the same threat actor. 

The Gitloker campaign refers to a recent series of cyberattacks targeting GitHub users, primarily focused on extortion. The attackers, known as “Gitloker” on Telegram, used various techniques, including phishing attacks, to compromise user accounts and sensitive data.

GitHub users should adopt best online security practices, such as strong password hygiene, enabling Two-Factor Authentication (2FA), being cautious of phishing emails, and regularly reviewing OAuth app permissions and revocation of unnecessary ones.

These measures help protect against potential compromises and ensure the safety of all users, including GitHub. By understanding the capabilities of GoIssue and the tactics employed by attackers, developers can take the necessary steps to protect themselves and their organizations from possible damage.

Jason Soroko, Senior Fellow at Sectigo weighed in on the situation calling out GoIssue as a major threat to not only GitHub but other developer platforms as well.

The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds, and security defences must evolve rapidly to counteract this pervasive threat, explained Jason.

By automating email address harvesting and executing large-scale, customized phishing campaigns, this tool enables attackers to exploit trusted developer environments, he warned. As usual, the attacker’s goal is credential theft using OAuth-based repository hijacks. The bad guys know what they are doing. This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community.





Source link