A massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and a two-factor authentication code, leading to the theft of at least 130 software code repositories.

According to a Dropbox advisory on Nov. 1, the mid-October attack consisted of emails that appeared to be from CircleCI, a popular DevOps platform, and directed Dropbox employees to go to a fake login page, enter in their GitHub credentials, and then enter in the one-time password created by a hardware key. 

The attacker eventually succeeded with at least one target, gaining access to and copying 130 code repositories, which included customized versions of third-party libraries, prototypes of internal software projects, and a collection of tools and configuration files maintained by the Dropbox security team.

The attackers did not gain access to the company's core software or the files used to configure and operate its infrastructure, Dropbox said in its advisory.

"Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data — if any — was accessed or stolen," the company stated. "We also reviewed our logs, and found no evidence of successful abuse."

GitHub Developers: In the Cyber-Crosshairs

Dropbox programmers were not the only developers targeted by the attackers. In September, GitHub warned that a threat group had begun targeting the service's users with the same tactic: phishing emails that purported to be from CircleCI, with the goal of harvesting user credentials and the one-time passwords used by developers as a second factor of authentication.

The stakes are high: An attacker who successfully steals a developer's credentials can then download code from any private repository to which the compromised account has access and use a variety of techniques — such as creating personal access tokens, adding SSH keys, and authorizing applications using OAuth — to maintain persistence of access, GitHub stated in a September advisory.

"While GitHub itself was not affected, the campaign has impacted many victim organizations," the advisory stated.

Cyber-Risks to Dropbox Customers "Minimal"

The attack on the Dropbox developer allowed the attackers to nab a "few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors," Dropbox noted, adding that it has more than 700 million registered users. Despite this, the privacy risks to customers, partners and employees are "minimal," Dropbox maintained.

"At no point did this threat actor have access to the contents of anyone's Dropbox account, their password, or their payment information," Dropbox said in its statement. "To date, our investigation has found that the code accessed by this threat actor contained some credentials — primarily, API keys — used by Dropbox developers."

Developers have become an increasingly popular target of attackers. Stolen Slack credentials, for example, have allowed the compromise of developer accounts at software and game makers, including Take-Two Interactive's Rockstar Games.

Like most security experts, Dropbox stressed that humans — even the most technical and knowledgeable users — are fallible, and for that reason, technical controls continue to be important.

"Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time," the company said. "This is precisely why phishing remains so effective — and why technical controls remain the best protection against these kinds of attacks."

How to Adopt Phishing-Resistant Infrastructure

Multifactor authentication (MFA) makes phishing for credentials much more difficult, but not impossible. Attackers have found ways around time-based one-time passwords (TOTPs), Javvad Malik, an evangelist at security awareness and training provider KnowBe4, said in a statement sent to Dark Reading.

"As MFA adoption increases in popularity, we see criminals adapt their methods to bypass MFA controls by tricking the users in increasingly sophisticated ways," he said. "This is why phishing-resistant MFA is strongly advised so that social engineering attacks have less likelihood of succeeding."

In its advisory, GitHub stressed that companies should move instead to hardware security keys, the codes for which a user cannot inadvertently hand over to an attacker, or WebAuthn, a standards-based way to use hardware keys for two-factor authentication.

Dropbox has already embarked on the latter path, the company said.

"Prior to this incident, we were already in the process of adopting this more phishing-resistant form of multi-factor authentication," Dropbox stated in its advisory. "Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors."