Ask HN: Someone cloned GitHub, not sure why

21 points by rbobby ↗ HN
I was looking at serilog enrichers trying to figure out why one wasn't working.

I stumbled across this list of enrichers:

https://causlayer.orgs.hk/topics/serilog-enrichers

Which have a few links to github repositories. I looked at one or two and then click the link for laurentiustamate94 / serilog-enrichers-aspnetcore and eventually noticed it took me to this page:

https://causlayer.orgs.hk/laurentiustamate94/serilog-enrichers-aspnetcore

A pretty exact copy. Everything works, though some links (like profile etc) take you to the real github.

Why would someone put that amount of work into this?

If you go to https://causlayer.orgs.hk it's a copy of the github home page with a fake login page!

Is this something github should be aware of? If so where would you report it?

16 comments

[ 4.7 ms ] story [ 49.9 ms ] thread
I wonder if it's someone's reverse-proxy to bypass censorship of the main site.
To steal passwords?
More likely just to read the website in China
To bypass the great firewall? Or possibly, to bypass country level restrictions on content blocks? You might have just outed some group in China.
github is not blocked in China
Probably a phishing site to steal username + password.
VirusTotal [1] is lighting up on that site. Do not click those links and I would remove the links from HN.

[Edit] HN Moderator removed it.

[1] - https://www.virustotal.com/gui/url/f298f1b568fccc7d942aa39c1...

I just clicked and went straight to the site. What do I do now?
Ensure your anti-malware is up to date. If its a work computer let your security team know. If its yours probably clear cache close browser install anti-malware and scan the machine. I dont have time to dig into whats on that site to see what it does.
(comment deleted)
Someone is going to have to be brave enough to login and see if their private repositories got cloned as well.

I have no private repo. It would suck if that too got cloned.

Don't do that, it's obviously a phishing site
Is this basically a MitM attack as a proxy?
Bob: Susan, remember not to make the GitHub staging site public by accident.

Susan: or what?

Bob: someone might me see it!

Susan: an obscure url like that? not a chance.

Bob: still, a small chance

Susan: and so what if someone sees it? it’s not like it will show up on the front page of Hacker News!

It does look like a live proxy rather than a copy/clone.

The responses have headers like "X-GitHub-Request-Id", which would be a pretty easy detail to forget if it were a copy.

Looks like a social engineering attack of some sort.