15.@Sign Keyboard

Researchers have identified that a massive 144,294 phishing-related packages have been uploaded by unknown threat actors on widely used open-source package repositories including NPM, PyPi, and NuGet.

This large-scale attack, which promotes fake apps, prize-winning surveys, gift cards, giveaways, and more, was made possible by automation. The phishing packages were uploaded in troves within a couple of days from accounts using a particular naming scheme, featured similar descriptions, and led to the same cluster of 90 domains that hosted over 65,000 phishing pages.

A Massive Example of the Growing Phishing Problem

This malicious campaign impacting the open-source software ecosystem is a high-profile example of the growing threat that phishing attacks, which account for over 90% of today’s cyberattacks, pose to all users and organizations. 

NuGet had the largest share of malicious package uploads at 136,258, PyPI had 7,894 infections, and NPM only had 212. The package descriptions contained the URL to the phishing sites, urging users to click links to get details about alleged gift card codes, applications and hackings tools. This tactic demonstrated an effort by the attackers to increase the SEO of their phishing sites. Almost all of these sites request visitors to enter their email, username, and account passwords, resulting in victims unknowingly sharing this sensitive information that can be monetized for personal and financial gain with attackers. This then initiates a series of redirects to survey sites, finally landing on legitimate e-commerce websites using affiliate links that generate revenue for the malicious actors. If victims went on to make purchases on these sites while the referral codes were active, the threat actors would receive referral awards. Thus, redirecting users from the phishing sites to these legitimate sites served both as adistraction from the theft of victims’ login credentials, and as a secondary exploitation scheme.

Description1The Bottom Line

The phishing packages used in this campaign have since been removed from the repositories, except in the case of NuGet, where the packages were unlisted from the repository’s search results. These unlisted packages are still available, but not easily accessible. Regardless, the automated methods used in this campaign to upload a very large number of packages over a short period of time with relative ease raise concern that the cybercriminals behind this operation could reintroduce the threat using new accounts and different package names at any time. Linux security expert Dave Wreski advises, “To protect their digital security, users should always engage in cybersecurity best practices and remain vigilant when browsing package repositories.”

For the complete list of the URLs used in this campaign, check out this IoC text file on GitHub.

Be sure to visit LinuxSecurity.com frequently and subscribe to our weekly newsletters to stay up-to-date on the latest security news and information impacting the open source community!