"Currently, we’ve observed the following phishing domains used by the attacker. Most of these are already offline, but the attacker frequently creates new domains and will likely continue to do so:"
Known phishing domains:
Code:
aws-update[.]net
corp-github[.]com
ensure-https[.]com
git-hub[.]co
git-secure-service[.]in
githb[.]co
glt-app[.]net
glt-hub[.]com
glthub[.]co
glthub[.]info
glthub[.]net
glthubb[.]info
glthube[.]app
glthubs[.]com
glthubs[.]info
glthubs[.]net
glthubse[.]info
slack-app[.]net
ssl-connection[.]net
sso-github[.]com
sts-github[.]com
tsl-github[.]com
How to protect yourself:
Quote
In order to prevent phishing attacks (which collect two-factor codes) from succeeding, consider using hardware security keys or WebAuthn two-factor authentication. Also consider using a browser-integrated password manager. Many commercial and open-source options exist including browser-based password management native to popular web browsers. These provide a degree of phishing protection by autofilling or otherwise recognizing only a legitimate domain for which you have previously saved a password. If your password manager doesn’t recognize the website you’re visiting, it might be a phishing site.
https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/