Website mocking github

Hey this website’s mocking github pretty well. Almost got me to send my login details, but the styling on the login page is messed up, which made me notice the address bar.

Not sure if there’s anything you can do about it, but here’s the url if you’re interested!

It showed up as my top google search for “clockwork yocto tutorial” - an oddly specific page to spoof

PS: I found the actual repo very useful: GitHub - JeremyGrosser/meta-clockwork: Yocto BSP for ClockworkPi boards. Kudos to them.

3 Likes

Hi there, welcome to the community! <3

The site seems incredibly suspicious to me. Thanks for reporting anyway, the moderators will (or “may”) check it. In my view, don’t trust these sites, that’s exactly what you did. I saw so many sites like this mocking other sites for some purposes. Just don’t submit your data to them :slight_smile:,that’s it.

Take care

That’s really bad indeed. If you don’t pay close attention to the URL bar you could just think you’re actually on GitHub.

I can’t see any good reason for mimicking another service so closely expect for credentials theft or delivering malicious code.

@nethgato, as our Community Manager, you might want to look into this, for it might be already affecting current or potential GH users.

Hmmm, I too am thinking about it

1 Like

I saw this headline and assumed it was about some kind of joke site, since the ordinary dictionary meaning of “to mock (something)” is “to make fun of it”.

As opposed to “to mock up”, meaning “to make a temporary or incomplete replica” (which in the case of software can be extended to mean “partially emulate”).

I know that language changes over time, but spare a thought for our old grey cells, and perhaps add the word forgery to the topic title?

2 Likes

That’s not only cool but also deep

@bblanke, you might want to edit that post so it doesn’t show the preview for the fake website. The preview looks like a legitimate GitHub one, only checking the target URL reveals it isn’t. That might be dangerous to readers who aren’t very careful. :warning:

Good feedback! I’ll add forgery in here - that’s really the word I was looking for

Also good point! I unfortunately can’t seem to edit my post anymore hopefully folks scroll down and see the whole thread.

1 Like

I’ve clicked on the sign-up button, and it even goes to a page asking for my email:

Welcome to GitHub!
Let’s begin the adventure
Enter your email [ input form ]

(I’m not linking to any of this).

So, I guess that if I were to carry on providing my email, it would ask for further data like password, phone number, etc. What would be done with that data is anyone’s guess. But it looks like a honey trap for potential new GH users, well enough.

Worst thing is that old or semi-new legitimate GH users might also fall for the “log-in” trap, and provide their legitimate GH user and password to this website.

The website is even leaching the CSS files directly from GitHub:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
  <link rel="dns-prefetch" href="https://assets-cdn.github.com">
  <link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars1.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars2.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars3.githubusercontent.com">
  <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
  <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">

no wonder it looks so legit, it’s stealing the CSS.

1 Like

The most interesting thing is that this website is able to show any repository actually present on GitHub. It looks like it’s capable of redirecting contents via some mechanism, but you’ll notice that some less known repositories will take longer to show up (no cache?).

Except that for the log-in and sign-up pages you notice they’re fake pages being served on that domain. So it goes to great lengths to look legitimate (all repos look as if available) to lure you into signing in.

With all that leaching of resources (CSS, avatars, etc.) and what’s probably a significant stream of contents requests, it’s strange that GH didn’t auto-detect it before — and, e.g. that anti-leech filters haven’t black-listed this domain from further requests.

The domain is registered in China, and has been active for quite some time (no idea about the sub-domain though):

Who’s Promoting This Fake Site here on GH?

I’m trying to see who’s actively promoting links to this fake website here, by pasting links in conversations, or placing them in repositories:

some results seems more interesting than others:

1 Like

I’m responding to that one, hope he will respond to my response to the comment. Let’s see

Perhaps it’s time to remind everyone to enable 2FA?

Sadly, I suspect that the people who are “promoting” it are dupes who’ve already been tricked into using it, and are bookmarking the URLs they’re seeing (and pasting them into their comments).

It seems that many muggles consider URLs to be inscrutable magic incantations devoid of comprehensible internal structure.

Thanks for the mention @tajmone – I do see we had a hackerone report of this back in April, but I don’t see any active conversations.

I’m going to bring this up with our Security team.

:bow:

4 Likes

+CC: @nethgato

I’m raising a security ticket w/ Google and I’ll raise a separate HackerOne ticket too. IMHO the issue has, at least temporarily, escalated.

Hi @IAXES :wave:

I’m out on PTO for a couple weeks, but I’ll be checking in here and there for @ mentions.

To reiterate, I have escalated that domain to our Security team, and I believe they’ve taken appropriate action on our side. We can’t necessarily take the site down, but we have taken steps that we can.

You mention that the issue has escalated. Could you elaborate a bit, please?

1 Like

@nethgato Sure. In short, I noticed that there are multiple sub-domains to this domain that all “mirror” GitHub in the same manner. The point (IMHO) that indicates that the issue has escalated, was something I noticed the other day: google searches for GitHub content, in some cases, were yielding results from this domain higher/earlier in the search results than the actual legitimate content (fortunately, this no longer appears to be the case). I felt it warranted attention since that likely increases the likelihood of this site being used in place of GitHub itself via searches. This might be potentially related to why people are promoting or otherwise posting links with this MitM domain: they may not even be aware that they’re using it.

In any case, I’ve issued DMCA take-down requests through Google for specific content of mine that is being mirrored through this domain. Not sure if there’s a way to have the domain itself removed from searches (would likely require GH itself to issue the request for the site).