GoIssue – The Tool Behind Recent GitHub Phishing Attacks

Summary:
SlashNext researchers recently uncovered a new phishing tool called GoIssue, which allows threat actors to extract email addresses from GitHub profiles and send bulk emails to users. Advertised on cybercriminal forums, GoIssue is priced at $700 for a custom build or $3,000 for full source code access. The tool facilitates email address harvesting from public GitHub profiles using automated processes and GitHub tokens, further enabling operators to specify sources for data extraction, such as followers, stargazers, organizations, and more. Additionally, GoIssue supports proxies for anonymity and provides customizable email templates to craft and send personalized phishing messages to target inboxes.

Security Officer Comments:
A tool like GoIssue, which not only extracts email addresses from GitHub but also offers customizable email templates, enables threat actors to launch large-scale phishing campaigns using deceptive GitHub notification emails. As demonstrated in previous attacks, these emails could contain links to fraudulent login pages designed to steal user credentials, or even trigger a rogue OAuth authorization prompt that would grant the attacker access to private repositories. These emails could also contain malicious attachments embedded with malware, allowing the actor to gain control over the victim’s system and steal other data of interest.

Suggested Corrections:
To mitigate the risks of phishing campaigns using tools like GoIssue, users should enable two-factor authentication (2FA) on their GitHub accounts, use email filtering tools to block suspicious messages, and avoid clicking on links in unsolicited emails. Regularly auditing OAuth app permissions, reviewing security settings, and educating users on how to spot phishing attempts are also crucial. Additionally, enforcing strong password policies and limiting the exposure of sensitive information on GitHub profiles can further reduce the likelihood of successful attacks. These steps collectively enhance security and protect against credential theft and unauthorized access.

Link(s):
https://slashnext.com/blog/goissue-github-phishing-attacks/