A recent phishing campaign is using GitHub links to bypass security and spread Remcos RAT, targeting the insurance and finance industries. The attacks trick victims into downloading malware by embedding links in legitimate-looking repositories like tax filing software.
By leveraging trusted repositories, the attackers make their phishing attempts more convincing and harder to detect.
Central to this attack is the use of GitHub infrastructure to host malicious files. In some cases, threat actors have posted malicious payloads as GitHub issues, which are deleted afterward, leaving the file link active but with no visible trace.
This technique, highlighted by researchers earlier this year, has evolved into a method to trick users into downloading malware loaders that maintain persistence and allow further infections.
In this campaign, attackers also use GitHub comments to upload and then delete malware files, while the malicious link remains active. These GitHub links are effective at bypassing email security because the domain is widely trusted, allowing threat actors to distribute malware without using more conspicuous techniques like redirects or QR codes.
Meanwhile, other phishing strategies have emerged, including the use of ASCII- and Unicode-based QR codes and blob URLs, making malicious content harder to detect.
Blob URLs allow attackers to embed malware directly into browsers as binary data, without needing to connect to external servers. This adds another layer of complexity to phishing detection systems.
Additionally, researchers have uncovered a wave of scams targeting users on accommodation booking platforms like Airbnb. Threat actors exploit compromised hotel accounts to contact customers, claiming issues with their bookings and prompting them to click fraudulent links to provide sensitive financial details.
These attacks are highly convincing, as they come from legitimate sources and match the context of users’ bookings, making them harder to spot.
The phishing operations, including the notorious Telekopye toolkit, have become more sophisticated, incorporating chatbots, automated phishing pages, and stronger defenses against takedown efforts.
Despite recent law enforcement crackdowns, these groups continue to recruit people in difficult situations and foreign students, enticing them with promises of easy money to carry out cybercriminal activities.
Preventing these types of phishing attacks requires a multi-layered approach. Organizations should reinforce email security filters, scrutinize URLs from trusted domains like GitHub, and educate employees about the evolving tactics used by attackers. Companies should also employ URL and file-scanning tools, monitor unusual activity in trusted repositories.