Fraud Alert: Fake GitHub Job Opportunity and Security Email

[seh-GAH-toh]

Select Topic Area

General

Body

This is the second instance where I've encountered either a fake security alert or a job offer via email, both directing me to https://githubcareer.online/. These emails prompt users to authenticate on GitHub, and if no action is taken after a brief interval, the page automatically redirects to an OAuth2 authentication page with those query parameters:

client_id=a2f2a26ab9e1b6ca6489
return_to=/login/oauth/authorize?
client_id=a2f2a26ab9e1b6ca6489
redirect_uri=https://githubcareer.online/auth/callback
scope=repo+user+read:org+read:discussion+gist+write:discussion+delete_repo

This time, the link was disseminated by https://github.com/Tannerrea, via a comment on an open issue in https://github.com/py7hon/API-MobileLegend/issues/3#issuecomment-1972574140.

It appears that it is specifically targeting Brazilian developers, in which the only place where I might have linked my GitHub account is Alura, a Brazilian platform for tech courses. However, I'm not entirely certain about this.

githubcareer.online Initial page

Redirect code:

  function Github() {
    window.location.href = '/auth/github';
  }

  window.onload = function(){
    // Set the initial timer duration in milliseconds
    const timerDuration = 10000; // 10 seconds

    // Function to redirect after a certain duration
    function Redirect() {
      window.location.href = '/auth/github';
    }

    // Initialize a variable to hold the timer
    let timer;

    // Function to reset the timer
    function resetTimer() {
      // Clear the existing timer
      clearTimeout(timer);

      // Set a new timer
      timer = setTimeout(Redirect, timerDuration);
    }

    // Add event listeners to reset the timer on user activity
    document.addEventListener('mousemove', resetTimer);
    document.addEventListener('keypress', resetTimer);
    document.addEventListener('click', resetTimer); // Add click event listener

    // Check if the user agent indicates a bot or an emulator
    const userAgent = navigator.userAgent.toLowerCase();
    const isBot = /bot|googlebot|crawler|spider|robot|crawling/i.test(userAgent);
    const isEmulator = /emulator|android|iphone|ipad|tablet/i.test(userAgent);

    // If the user agent indicates a bot or emulator, redirect immediately
    if (isBot || isEmulator) {
      Redirect();
    }

    // Start the initial timer
    resetTimer();
  }

function isDevToolsOpened() {
  const isOpened = new Promise((resolve) => {
    const threshold = 160;
    let widthThreshold = window.outerWidth - window.innerWidth > threshold;
    let heightThreshold = window.outerHeight - window.innerHeight > threshold;

    const check = () => {
      if (widthThreshold || heightThreshold) {
        resolve(true);
      } else {
        resolve(false);
      }
    };

    setInterval(check, 1000);
    check();
  });

  return isOpened;
}

isDevToolsOpened().then((result) => {
  if (result) {
    return "DevTools Open" 
  } else {
    return "DevTools Close"
  }
});

githubcareer.online Raw whois data

Domain Name: GITHUBCAREER.ONLINE
Registry Domain ID: D436447344-CNIC
Registrar WHOIS Server: whois.hostinger.com
Registrar URL: https://www.hostinger.com/
Updated Date: 2024-02-28T04:53:22.0Z
Creation Date: 2024-02-28T04:53:17.0Z
Registry Expiry Date: 2025-02-28T23:59:59.0Z
Registrar: HOSTINGER operations, UAB
Registrar IANA ID: 1636
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registrant Organization: Privacy Protect, LLC (PrivacyProtect.org)
Registrant State/Province: MA
Registrant Country: US
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: NS2.DNS-PARKING.COM
Name Server: NS1.DNS-PARKING.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: email@hostinger.com
Registrar Abuse Contact Phone: +370.68424669
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2024-03-01T06:15:12.0Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit
https://www.centralnic.com/support/rdap <<<

The Whois and RDAP services are provided by CentralNic, and contain
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd (https://www.centralnic.com)

Access to the Whois and RDAP services is rate limited. For more
information, visit https://registrar-console.centralnic.com/pub/whois_guidance.

Repo comment

[Akash1134]

We understand the inconvenience caused by these unsolicited phishing notifications and our team is actively working to mitigate them. We want to remind our users to continue to use our abuse reporting tools to raise any abusive or suspicious activity.

We would like to bring to our users’ attention to the following:

• Please do not click any links or reply to these notifications. Please report them.
• Authorizing an OAuth app can expose your GitHub account and data to a third party.
• GitHub recommends you periodically review your authorized OAuth apps.
• This spam activity targets and abuses GitHub’s mention and notification functionality.
• This is a phishing campaign and is not the result of a compromise of GitHub or its systems.