Malicious actors hosted phishing kits on the web-based GitHub code hosting platform by abusing the service's free repositories to deliver them to their targets via github.io domains.
This technique allows crooks to take advantage of the GitHub Pages service to bypass both whitelists and network defenses, just like the "use of large consumer cloud storage sites, social networking, and commerce services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook" makes it possible to have their malicious activities blend in within legitimate web traffic.
The researchers state that GitHub took down all the accounts discovered to be involved in the malicious activity as of April 19, 2019, while also being "extremely responsive in addressing this abuse of their systems."
As discovered by Proofpoint's research team, multiple threat actors used github.io domains as part of various malicious campaigns including phishing attacks which directed victims to landing pages hosted on GitHub's service.
For instance, one of the attackers hosted a phishing kit designed to steal credentials from the customers of a retail bank brand after redirecting them to the landing page via malicious emails.