Cybersecurity experts are sounding the alarm over a new, advanced phishing tool named GoIssue, which enables threat actors to target GitHub users with large-scale email phishing campaigns.
The tool was first introduced by a hacker known as cyberdluffy (also called Cyber D’ Luffy) on the Runion forum in early August. It is marketed as a resource for cybercriminals to harvest email addresses from public GitHub profiles and dispatch bulk emails directly to users’ inboxes.
“Whether you need to reach a specific audience or expand your outreach, GoIssue provides the precision and power required,” the threat actor boasted in their post. “GoIssue can dispatch mass emails to GitHub users, targeting any recipient.”
According to SlashNext, GoIssue represents a “dangerous shift” in phishing tactics, potentially facilitating attacks such as source code theft, supply chain compromises, and corporate network breaches through stolen developer credentials.
“With access to this data, attackers can initiate highly-targeted mass email campaigns designed to bypass spam filters and focus on specific developer groups,” the company explained.
The tool is available in two pricing tiers: a custom version for $700, and full access to the source code for $3,000. However, as of October 11, 2024, prices have been significantly reduced to $150 and $1,000 for the custom version and full source code, respectively, for the first five buyers.
In a typical attack, cybercriminals could use GoIssue to trick victims into visiting fake web pages designed to steal their login credentials, deploy malware, or authorize rogue OAuth applications to gain access to their private repositories and sensitive data.
A noteworthy detail about cyberdluffy is their claimed affiliation with the Gitloker Team, a group previously linked to a GitHub-focused extortion campaign. This campaign targeted users by impersonating GitHub’s security and recruitment teams, luring them into clicking malicious links.
The phishing emails are automatically triggered when GitHub developers are tagged in spam comments on random open issues or pull requests by already compromised accounts. The fraudulent links direct victims to fake sign-in pages, urging them to authorize a new OAuth application in exchange for job opportunities.
If a developer unknowingly grants the malicious OAuth app the required permissions, the attackers seize control of the victim’s repositories, replacing the contents with a ransom note that instructs them to contact Gitloker on Telegram.
“GoIssue’s ability to deliver bulk emails makes it a powerful tool for scaling phishing campaigns, potentially affecting thousands of developers at once,” SlashNext noted. “This increases the likelihood of successful breaches, data theft, and project compromises.”
This new tool comes on the heels of another alarming phishing tactic outlined by Perception Point. The two-step attack uses Microsoft Visio (.vdsx) files and SharePoint to siphon login credentials. These emails, masquerading as business proposals, are sent from compromised email accounts to bypass security checks.
“When a victim clicks the provided URL or opens the .eml file, they are directed to a Microsoft SharePoint page that hosts a Visio (.vsdx) file,” Perception Point explained. “The SharePoint account used to upload and host the files is often compromised as well.”
Hidden within the Visio file is a clickable link leading to a fraudulent Microsoft 365 login page designed to capture the victim’s credentials.
“Two-step phishing attacks, utilizing trusted platforms and file formats like SharePoint and Visio, are on the rise,” Perception Point added. “These multi-layered tactics exploit user trust in familiar tools while circumventing detection by standard email security systems.”