[CircleCI Security Alert] Warning: Phishing attempt for login credentials

Announcements Security
1

Yesterday evening, we became aware of a phishing attempt for customers’ CircleCI and GitHub credentials. We have no reason to believe your organization has been specifically targeted or that your account has been compromised, but want our customers to be aware that there is an ongoing phishing attempt and to exercise due caution.
This is an example of the email impersonating CircleCI in an attempt to gain access to your account:

Screen Shot 2022-09-15 at 3.27.44 PM
Screen Shot 2022-09-15 at 3.27.44 PM1363×744 70.8 KB

CircleCI will not require users to login to review any updates to Our Terms of Service. Additionally, these phishing attempts include links that send users to circle-ci[.]com, which is not owned by CircleCI. Any emails from CircleCI should only include links to circleci.com or its sub-domains. If you believe you or someone on your team may have accidentally clicked a link in this email, please immediately rotate your credentials for both GitHub and CircleCI, and audit your systems for any unauthorized activity.

If you need help or have any questions, please do not hesitate to reach out to our team.
To better building,

The Team at CircleCI

7 Likes
2

Thanks for posting this. Has CircleCI reached out to the registrar about the phishing site?

Registrar: NICENIC INTERNATIONAL GROUP CO., LIMITED
Registrar IANA ID: 3765
Registrar Abuse Contact Email: support@nicenic.net
Registrar Abuse Contact Phone: +853.2354112
2 Likes
3

@zackse Yes, we have reached out to the registrar. Thanks for your patience as we continue to investigate.

2 Likes
4

Thanks for the warning, is this campaign phising for GitHub credentials?

5

We have been receiving thousands of these phishing emails to our organization, all spoofing @circleci.com email addresses. Could you please configure and enable DMARC polices for your domain to help get these blocked?

6 Likes
6

% dig TXT _dmarc.circleci.com +short
“v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com

Seriously, configure dmarc to reject!

3 Likes
7

Do you have the source of one of these emails? I specifically need the Subject, so I can check my logs.

8

We have seen the following subjects:

[Action Required] Your CircleCI services have been updated
[Action Required] - Your CircleCI services have been updated
Important changes made to your CircleCI services
Your CircleCI account and services have been changed
Your CircleCI Services will be disabled

1 Like
9

Is there a reason why DMARC has not been configured? Please enable this if it has not been setup.

2 Likes
10

Indeed. Why is DMARC not configured incorrectly?

The p tag should be set to “reject” , not “none”.

I opened a support ticket for this.

update: They are aware of the issue and are reviewing their internal tooling configuration.

1 Like
11

gracias
equipo

1 Like
12

If possible, can you provide the original email in raw source with full headers? In support of my research to develop and bolster a mail client’s ability to flag a phishing message’s attributes, having the email header will greatly aid my efforts and help to prevent such attacks in the future. Thank-you in advance!