Fake GitHub Alerts Trick Developers Into Granting OAuth Access
Attack Overview
Step 1: Phishing Alert via GitHub Issues
Attackers post fake security alerts to GitHub Issues, which automatically trigger email notifications to developers. The alerts claim there's been a suspicious login attempt and prompt the recipient to review account activity.
- Message appears to originate from GitHub itself.
- Uses urgency and branding consistent with legitimate GitHub alerts.
- Contains a login review link that leads to an OAuth authorization screen.
Step 2: OAuth Abuse via Rogue App
Instead of directing the user to GitHub’s security settings, the link leads to an OAuth authorization page for a malicious app. If the user authorizes it, the attacker gains persistent access to the victim’s GitHub account and code repositories.
- OAuth avoids the need to steal credentials.
- Grants full access via API tokens.
- Attackers can modify, delete, and push to repos.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Sent using GitHub’s own infrastructure (via Issues).
- Messages originate from domain that passes sender authentication checks.
- Avoids traditional MFA barriers and credential-based detection since OAuth grants direct API access.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Anomalous OAuth requests tied to phishing-like flows.
- Deviations in sender and message behavior from GitHub norms.
- Content NLP identifies urgency and impersonation patterns.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.