GitHub users are being targeted by a Sawfish phishing campaign designed to steal their GitHub login credentials and time-based one-time password (TOTP) codes.
The attack, referred to as Sawfish by GitHub SIRT, comes through a Github message that claims the target’s account has experienced unauthorized activity of some type, GitHub SIRT wrote in a blog. A handy link to rectify the situation is included where the alterations can be viewed.
The link, in fact, turns out to be a redirect to a phishing website that mimics the GitHub login page. Here the victim’s credentials are harvested. For those using TOTP two-factor authentication the malicious site takes and sends the codes in real time to the attacker allowing the GitHub account to be instantly accessed.