Phishing attack on PyPi and AMO developers | Kaspersky official blog

Phishing attack on PyPi and AMO developers | Kaspersky official blog

Just recently, within days of each other, Mozilla (the organization behind the Firefox browser) and the team that maintains the Python Package Index (a catalog of software written in Python) published very similar warnings about phishing attacks. Unknown attackers are trying to lure both Python developers with accounts on pypi.org and Firefox plugin creators with addons.mozilla.org accounts to fake sites in order to trick them into giving up their credentials. In this regard, we recommend that opensource developers (not just PyPi and AMO users) be especially careful when clicking on links from emails.

These two attacks are not necessarily related (after all, the phishers’ methods are slightly different). However, taken together, they demonstrate an increased cybercriminal interest in code repositories and app stores. Most likely, their ultimate goal is to organize supply chain attacks, or resell credentials to other criminals who can organize such an attack. After all, having gained access to a developer’s account, attackers can inject malicious code into packages or plugins.

Details of a phishing attack on PyPi developers

Phishing emails addressed to users of the Python Package Index are sent to addresses specified in the metadata of packages published on the site. The subject line contains the phrase “[PyPI] Email verification”. The emails are sent from addresses on the @pypj.org domain, which differs by only one letter from the real directory domain — @pypi.org — that is, they use a lowercase j instead of a lowercase i.

The email states that developers need to verify their email address by clicking on a link to a site that imitates the design of the legitimate PyPi. Interestingly, the phishing site not only collects the victims’ credentials, but also transmits them to the real site, so that after the “verification” is complete, the victim ends up on a legitimate site logged in, and often doesn’t even realize that their credentials have just been stolen.

The team that maintains the Python Package Index recommends that anyone who clicks on the link in the email immediately change their password, and also check the “Security History” section in their account.

Details of a phishing attack on addons.mozilla.org accounts

The phishing sent to Firefox add-on developers imitates emails from Mozilla or directly from AMO. The gist of the message boils down to a need to update account data in order to continue using the developer features.

Judging by the example uploaded by one of the recipients of the email, the attackers don’t bother to disguise the sender’s address — the letter was sent from a standard Gmail account. It also follows from the comments that sometimes phishers misspell the name Mozilla, missing one of the l letters.

How to stay safe?

Developers should be extremely careful with emails containing links to such sites. They should check the domains from which the emails are sent, as well as the links that they’re asked to follow. Even if the email seems legitimate, they should log in to the account on the site reached by manually entering the address, or by following a previously saved bookmark. In addition, we recommend equipping all devices used for work with security solutions that will block the opening of a phishing site even if the link was clicked on.

For companies that employ open source software developers, we recommend using an anti-phishing solution at the mail gateway level. In addition, it’s a good idea to periodically train employees to recognize modern phishers’ tricks. After all, even experienced IT specialists can fall for phishing. This can be done using our online Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More