Someone cloned GitHub, not sure why

Question

I was looking at serilog enrichers trying to figure out why one wasn't working.I stumbled across this list of enrichers:https://causlayer.orgs.hk/topics/serilog-enrichersWhich have a few links to github repositories. I looked at one or two and then click the link for laurentiustamate94 / serilog-enrichers-aspnetcore and eventually noticed it took me to this page:https://causlayer.orgs.hk/laurentiustamate94/serilog-enrichers-aspnetcoreA pretty exact copy. Everything works, though some links (like profile etc) take you to the real github.Why would someone put that amount of work into this?If you go to https://causlayer.orgs.hk it's a copy of the github home page with a fake login page!Is this something github should be aware of? If so where would you report it?

LinuxBender · Accepted Answer

VirusTotal [1] is lighting up on that site. Do not click those links and I would remove the links from HN.
[Edit] HN Moderator removed it.
[1] - https://www.virustotal.com/gui/url/f298f1b568fccc7d942aa39c1...

disqard · Answer

Probably a phishing site to steal username + password.

Nextgrid · Answer

I wonder if it's someone's reverse-proxy to bypass censorship of the main site.

tyingq · Answer

It does look like a live proxy rather than a copy/clone.The responses have headers like "X-GitHub-Request-Id", which would be a pretty easy detail to forget if it were a copy.

robbedpeter · Answer

To bypass the great firewall? Or possibly, to bypass country level restrictions on content blocks? You might have just outed some group in China.

egberts · Answer

Someone is going to have to be brave enough to login and see if their private repositories got cloned as well.I have no private repo. It would suck if that too got cloned.

mosdl · Answer

To steal passwords?

smoldesu · Answer

Looks like a social engineering attack of some sort.

piyh · Answer

Is this basically a MitM attack as a proxy?

omarhaneef · Answer

Bob: Susan, remember not to make the GitHub staging site public by accident.
Susan: or what?
Bob: someone might me see it!
Susan: an obscure url like that? not a chance.
Bob: still, a small chance
Susan: and so what if someone sees it? it’s not like it will show up on the front page of Hacker News!

Someone cloned GitHub, not sure why

VirusTotal [1] is lighting up on that site. Do not click those links and I would remove the links from HN.
[Edit] HN Moderator removed it.
[1] - https://www.virustotal.com/gui/url/f298f1b568fccc7d942aa39c1...

Probably a phishing site to steal username + password.

I wonder if it's someone's reverse-proxy to bypass censorship of the main site.

It does look like a live proxy rather than a copy/clone.
The responses have headers like "X-GitHub-Request-Id", which would be a pretty easy detail to forget if it were a copy.

To bypass the great firewall? Or possibly, to bypass country level restrictions on content blocks? You might have just outed some group in China.

Someone is going to have to be brave enough to login and see if their private repositories got cloned as well.
I have no private repo. It would suck if that too got cloned.

To steal passwords?

Looks like a social engineering attack of some sort.

Is this basically a MitM attack as a proxy?

Someone cloned GitHub, not sure why

VirusTotal [1] is lighting up on that site. Do not click those links and I would remove the links from HN.[Edit] HN Moderator removed it.[1] - https://www.virustotal.com/gui/url/f298f1b568fccc7d942aa39c1...

Probably a phishing site to steal username + password.

I wonder if it's someone's reverse-proxy to bypass censorship of the main site.

It does look like a live proxy rather than a copy/clone.The responses have headers like "X-GitHub-Request-Id", which would be a pretty easy detail to forget if it were a copy.

To bypass the great firewall? Or possibly, to bypass country level restrictions on content blocks? You might have just outed some group in China.

Someone is going to have to be brave enough to login and see if their private repositories got cloned as well.I have no private repo. It would suck if that too got cloned.

To steal passwords?

Looks like a social engineering attack of some sort.

Is this basically a MitM attack as a proxy?

Bob: Susan, remember not to make the GitHub staging site public by accident.Susan: or what?Bob: someone might me see it!Susan: an obscure url like that? not a chance.Bob: still, a small chanceSusan: and so what if someone sees it? it’s not like it will show up on the front page of Hacker News!

VirusTotal [1] is lighting up on that site. Do not click those links and I would remove the links from HN.
[Edit] HN Moderator removed it.
[1] - https://www.virustotal.com/gui/url/f298f1b568fccc7d942aa39c1...

It does look like a live proxy rather than a copy/clone.
The responses have headers like "X-GitHub-Request-Id", which would be a pretty easy detail to forget if it were a copy.

Someone is going to have to be brave enough to login and see if their private repositories got cloned as well.
I have no private repo. It would suck if that too got cloned.