New Phishing Tool Targets Developers with Precision Emails

Cybersecurity researchers have highlighted a new phishing tool, GoIssue, that is designed to conduct bulk phishing campaigns targeting GitHub users. Developed by a threat actor known as cyberdluffy (also referred to as Cyber D’ Luffy), this tool was first promoted on the Runion forum earlier in August.

GoIssue enables attackers to scrape email addresses from public GitHub profiles and launch targeted email campaigns aimed directly at developers’ inboxes.

In the threat actor’s own words, GoIssue is intended to “reach a specific audience or expand outreach,” allowing criminals to conduct customized phishing campaigns aimed at GitHub users.

This ability to mass-target users presents a significant threat, as it opens avenues for potential source code theft, supply chain compromises, and even corporate network breaches if developer credentials are compromised.

A report described GoIssue as a “major shift in targeted phishing,” with its potential to bypass standard spam filters, making it a gateway for more sophisticated attacks.

GoIssue is sold in two versions: a custom build priced at $700, or the complete source code for $3,000. However, as of October 11, 2024, early buyers can purchase the tool for reduced rates of $150 and $1,000 for the respective versions.

In a typical attack scenario, cybercriminals using GoIssue may redirect developers to fake login pages where they can collect credentials, distribute malware, or trick victims into authorizing a rogue OAuth app.

This OAuth access could grant attackers control over private repositories and sensitive data, making it easier to breach additional systems or deploy ransom tactics.

Another aspect of cyberdluffy’s operations includes their presence on Telegram, where they are affiliated with a group called Gitloker Team. Gitloker was previously known for GitHub-targeted extortion campaigns that used fake emails posing as GitHub’s security or recruitment teams to lure users into dangerous interactions.

These emails often request that users click on suspicious links to log into their GitHub accounts or authorize an OAuth app under the guise of applying for job opportunities.

If unsuspecting developers grant access, attackers can wipe out repository contents and replace them with ransom notes directing victims to contact a persona named Gitloker on Telegram for further instructions.

GoIssue’s capacity to scale such attacks allows threat actors to reach thousands of developers simultaneously, significantly amplifying risks associated with data theft, source code compromise, and project breaches.

This rise in GitHub phishing attacks coincides with reports of a new two-step phishing technique identified by researchers, which employs Microsoft Visio (.vsdx) files hosted on SharePoint.

Disguised as business proposals, these phishing emails leverage previously breached email accounts to evade detection and appear trustworthy. The emails lead victims to SharePoint-hosted Visio files that contain links to fake Microsoft 365 login pages, aiming to collect Microsoft credentials.

Such multi-step phishing strategies that utilize trusted platforms and familiar file formats are growing in prevalence, taking advantage of users’ trust while evading basic email security filters.

Developers can safeguard their accounts by enabling two-factor authentication (2FA) on GitHub and using OAuth access with caution, particularly avoiding granting permissions to unknown apps.

Additionally, verifying links before clicking and avoiding interaction with unsolicited job-related messages can help prevent unauthorized access.