Starting on 12.02.2024 me and a lot of other github users have received a fake job opportunity email that appears to come from github.com
The content of the email looks like this:
At a first glance, the email appears to be official and coming directly from the an github email address: [email protected]
For someone who doesn’t know this is a scam or just someone who isn’t skeptical in general they wouldn’t notice any of the errors or red flags in this email.
So I strongly suggest that you take a look at the email again, knowing it is a scam, then check bellow to see if you got all the red flags.
Keep in mind that in retrospect the red flags may seem obvious and you might call anyone who didn’t immediately notice them an idiot, I personally didn’t catch on at first, but i was extremely sussed out in the first place. The content was extremely well crafted.
With that out of the way, here are all the red flags that I noticed (bellow the image are explanations):
- The tittle of the email is a reply from a random ass PR
- “Hello, ” | Github would know my name
- “selected to proceed in the selection process for the Developer position” | very poor wording for a professional email
- “Please click here” | Heavens no
- “complete these forms as soon as possible” | sense of urgency
- “Important: You have 24 hours to complete the application” | again, sense of urgency
- “Github Recruitment Team” | My username is tagged there? Along with other random users….. Hmmmm………
- Link to view the PR comment on github, why on earth would they send a job offer on a rando-PR comment?
- Also: WTF GOOGLE???? (This is why people hate gmail)
The owner of the PR and repo that the comment was posted on, thankfully deleted that comment, but you can imagine that the content was the same as in the email:
By now you should have already guessed how the scam operated:
The bad actors are abusing automatic email notification, by tagging you in the a random comment, github will automatically send you an email with the content of the comment.
But if the bad actors design the comment to look as if its part of the email then they can make it seem as if you received an email from an official github address.
They even try to hide the fact that their tagging you along with others by putting you along with everyone else under: “Github Recreuitment Team”
The rest is just phishing.
But instead of simply prompting you for typical login like username and password, which could be either useless for the type of user who uses proper 2FA and has a unique password, or catastrophic for others.
Instead they phish access to a users account by abusing 0auth, grating the malicious actors almost full control of the users account, but enough to impersonate the user.
After the user gets phished and the baddies get their dirty access, your account becomes another one of the commenters tagging other users, in what is basically, a self propagating scam.
Someone opened a Github discussion in order to track instances of the campaign: https:replied//github.com/orgs/community/discussions/109171
Since then an official Github community manager replied:
Always be a little wary when receiving unsolicited emails or any kind of other message.
Keep in mind that most “hacking” these days is just social engineering.
Reporting cybercrime:
If you, someone you know or your company have been personally target by cybercriminals check out the following useful links
- For Europeans: European Cybercrime Centre (EC3) | Cybercrime branch of Europol
- For USA: Internet Crime Complaint Center (IC3) | Cybercrime branch of FBI
Sources/Further reading:
- Fraud Alert: Fake GitHub Job Opportunity Email | Github comunity Discusions
- Social engineering | Wikipedia article