Education and awareness as regards cybercrime are often hammered home as important considerations for cybersecurity, and results from a GitLab test helped to illustrate that point wonderfully.
The collaborative DevOps platform recently conducted a phishing attack on GitLab employees. The attackers (known as Red Team) sent out an email with a view to obtaining GitLab.com credentials.
The email in question informed the employee that they were identified as a candidate for “Apple’s System Refresh Program”. At the bottom of the email was a prompt to login to GitLab to configure the notebook.
As you might suspect this login page was a rouse and simply siphoned off credentials.
So how many employees fell for this plot?
Thankfully of the 50 GitLab employees targeted, on 17 clicked the link in the email. Of those 17 however, 10 entered their GitLab credentials into the fraudulent website.
Perhaps most worrying of all, however, is the fact that only six GitLab employees reported the email as suspicious.
Red Team went so far as to point out the subtle ways employees could have deduced that the email was a phishing scam.
- The email address was [email protected] – not a legitimate gitlab.com one. Similar-sounding domain names are a common technique used in targeted phishing campaigns.
- The email references an older model of Macbook Pro than what most users already have. Subtle factual errors are often indicators of an illegitimate source.
- No secondary communication method, such as Slack or a company call, provided an announcement regarding any laptop upgrades.
- Email message header details in Gmail can be viewed (Open the message, then go to the More option in the upper right, then choose the Show Original option) to give specific clues as to the methods by which the email was generated. Keywords such as “phish” and multiple references to the illegitimate top level domain gitlab.company are key indicators.
Other indicators included the link redirecting to gitlab.company rather than gitlab.com, the user having to login if they are already logged into GitLab and the change in using Okta’s SSO.
As a result of this test, Red Team has advised that all users review an entry regarding phishing attacks in the GitLab Handbook. It has also made a few other recommendations.
“Due to the low number of reports of this phish Security Team should communicate to all GitLab team members on a more frequent basis about phishing attacks and what to do if one is suspected,” reads the report.
The team also said that phishing exercises should be conducted on a quarterly basis on a different sample group.
In short, employees, no matter where they sit in an organisation, need to be vigilant just in case.[Image – CC 0 Pixabay][Source – GitLab]