![]() GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku.įollowing this series of notifications, GitHub will have completed directly notifying each affected user for whom we were able to detect abuse using the stolen OAuth tokens.Ĭustomers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications at:Īpupdate: GitHub has sent notifications for known victims of repository listing activity using stolen OAuth app tokens.Īs of 7:33 PM UTC on April 22, 2022, we’ve notified victims of this campaign whom we have identified as having repository details listed using stolen OAuth app tokens, but did NOT have repository contents downloaded. This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. The attacker then proceeded to clone some of those private repositories. ![]() ![]() The attacker listed the private repositories for user accounts of interest.ĥ. The attacker then selectively chose targets based on the listed organizations.Ĥ. For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user’s organizations.ģ. The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI.Ģ. GitHub’s analysis of the attacker’s behavior reveals the following activities carried out on using stolen OAuth app tokens:ġ. Thomas, who was terminated by the bank in 2019, did not participate in the regulatory proceeding against her.Apupdate: Pattern of attacker activity on GitHub.Īs of 5:00 PM UTC on April 27, 2022, we are in the process of sending the final expected notifications to customers who had either the Heroku or Travis CI OAuth app integrations authorized in their GitHub accounts. She cannot be trusted with clients’ monies in the future.” “She stole money from an elderly client who trusted her and also defrauded the bank by obtaining a loan in the client’s name and using the proceeds for her personal use. The misconduct in the present case is egregious,” the panel said. “We agree with staff that the respondent poses a significant risk to other investors. The panel imposed a permanent ban against Thomas, a $300,000 fine, and ordered $10,000 in costs against her. The bank paid the victim a total of $93,000 as compensation for the money that was stolen from her, the panel said. ![]() “ subsequently admitted that she took the monies from the client because the client trusted her and was elderly,” the panel noted in its decision, adding that none of the money has been repaid. The SRO alleged that Thomas opened a fake bank account in the client’s name, which she used to siphon off $59,000 in unauthorized redemptions from the client’s TFSA, misappropriated another $34,000 from the client’s joint bank account, and applied for a loan and a line of credit from the bank in the client’s name, taking another $59,000 that way.
0 Comments
Leave a Reply. |