Thanks for the kind words. We discussed whether to pull the data. We didn't for two reasons:
1. It's not trivial to process that data safely, and all the people in the server are volunteers that pitch in as much as they can. It won't be fair to burden them more.
2. The bots were posting to what appeared to be private or moderated channels. We didn't find an easy way in. Maybe there was a way in, but see item 1 above.
So we went with "nuke it from orbit"
What leads to the secret being stored in git's config file like that? None of my repositories have that, the remote URLs all just say "git@github.com:foo/bar.git".
The way Git computes diffs is by more or less storing all the source code in the .git directory as objects. At first glance it looks like a bunch of hashes, but tools can pull out source code from the objects tracked within the .git directory. Not least of which, the remote URL points to their username on GitHub and the author for commits can give you their email.
Could've traced the attacker for a bit before burning all bridges.
It is great that they got taken down. From my experience, these sites are usually parasites on misconfigured Wordpresseses.
We're you able to get the phishing data so that you can help the victims? Is it a good idea to try and do so?
Also, can you please share some bits of the phishing kit for easier detection?
Thank you for your efforts!
Thanks for the kind words. We discussed whether to pull the data. We didn't for two reasons: 1. It's not trivial to process that data safely, and all the people in the server are volunteers that pitch in as much as they can. It won't be fair to burden them more. 2. The bots were posting to what appeared to be private or moderated channels. We didn't find an easy way in. Maybe there was a way in, but see item 1 above. So we went with "nuke it from orbit"
Yeah, that's the problem, processing the data safely. I wouldn't want to do that either without a lawyer covering my back.
Sounds like they got off easy.
They probably did. But it's a volunteer effort, we all contrinbute as much each individual's time permits.
What leads to the secret being stored in git's config file like that? None of my repositories have that, the remote URLs all just say "git@github.com:foo/bar.git".
The way Git computes diffs is by more or less storing all the source code in the .git directory as objects. At first glance it looks like a bunch of hashes, but tools can pull out source code from the objects tracked within the .git directory. Not least of which, the remote URL points to their username on GitHub and the author for commits can give you their email.