New Malware Campaign Targets Finance and Insurance Sectors Using GitHub Links In India, there are currently 13.2 million developers using GitHub, also ranks second globally, after the US, in the number of GenAI projects hosted on GitHub
You're reading BIZ Experiences India, an international franchise of BIZ Experiences Media.
A new cyberattack campaign targeting the finance and insurance industries is leveraging GitHub links to bypass security measures and deliver malware, according to recent findings by cybersecurity firm Cofense. The campaign uses phishing emails that contain links to trusted GitHub repositories, tricking recipients into downloading a dangerous Remote Access Trojan (RAT) called Remcos.
This technique stands out because the attackers are using legitimate open-source repositories like UsTaxes, HMRC, and InlandRevenue, rather than the usual suspicious or low-star GitHub repositories. Jacob Malimban, a researcher at Cofense, noted that this is a shift from the traditional methods, where threat actors create their own malicious GitHub repositories.
The attack abuses GitHub's infrastructure by uploading malicious files as comments in well-known repositories. Once uploaded, the comment is deleted, but the link to the malware file remains active. This method, first discovered by OALABS Research earlier this year, leaves little trace, making it difficult for security teams to detect the threat.
"Emails containing links to GitHub are effective at bypassing email security systems because GitHub is a trusted domain," said Malimban. Attackers use these links to deliver the malware archive directly through email, avoiding other methods like QR codes or Google redirects.
This is not the only new tactic observed in recent phishing attacks. Barracuda Networks has reported other innovative methods used by cybercriminals, such as ASCII- and Unicode-based QR codes and blob URLs. These tactics make it more challenging for security systems to block malicious content.
A blob URL, as explained by security researcher Ashitosh Deshnur, is a type of link used by web browsers to handle binary data like files or images directly in the browser, bypassing the need for external servers. This tactic gives attackers another way to deliver harmful content undetected.
Additionally, cybersecurity firm ESET has uncovered new scams targeting popular accommodation booking platforms like Booking.com and Airbnb. Scammers are using compromised accounts of legitimate hotels to contact customers, asking them to resolve fake payment issues by clicking on malicious links. The rise in such attacks was noted in July 2024, with attackers focusing on customers who had recently booked or made payments.
The group behind these booking scams, known as Telekopye, has also improved its toolkit by automating the creation of phishing pages and using chatbots to communicate with victims. Despite the sophistication of these scams, law enforcement agencies in Czechia and Ukraine arrested several members of the group in late 2023. Authorities revealed that the criminals recruited individuals in difficult life situations, offering them "easy money" for assisting in these schemes.
As these attacks become more creative and harder to detect, businesses in the finance, insurance, and hospitality sectors need to remain vigilant and adopt stronger cybersecurity measures to protect their systems and customers.
In India, there are currently 13.2 million developers using GitHub, compared to approximately 20 million in the US. India also ranks second globally, after the US, in the number of generative artificial intelligence (genAI) projects hosted on GitHub.
