GitLab Hacks Own Remote-Working Staff In Phishing Test

Software development tools start-up GitLab has carried out a targeted phishing campaign on its own remote-working staff, finding that one-fifth of those targeted exposed their corporate login credentials.

The study comes at a time when more employees are working from home during coronavirus shutdowns around the world.

Facebook and Shopify said last week they would bring in formal policies of allowing staff to work remotely long-term, while HP Enterprise said it expects “at least” half of its employees never to return to an office setting.

These conditions have raised security fears, with Google, Microsoft and others warning of dramatic increases in phishing campaigns targeting corporate workers.

Remote risk

GitLab makes web-based software development tools that centre on the Git distributed version-control system.

The company was founded by Ukrainian Dmitriy Zaporozhets and Dutch citizen Sid Sibrangy, and while its headquarters is in San Francisco, its staff of nearly 1,300 work in 67 countries and regions.

It claims to be the world’s biggest all-remote company.

The firm’s security team said it selected 50 staff at random and sent them a targeted phishing email claiming to be a legitimate laptop upgrade offer from the GitLab IT department.

Staff were asked to click on a link to accept the offer, and were directed to a web portal to log in.

Those who entered their credentials were redirected to an online corporate handbook that explains how to identify a phishing attack.

In all, 17 of the targets, or 34 percent, clicked on the link, while ten, or one-fifth, entered their credentials.

Image credit: GitLab

Suspicion

Only six, or 12 percent, reported the email as suspicious to the security team, leading the researchers to think they needed to improve their communications around phishing attacks.

Security Team should communicate to all GitLab team members on a more frequent basis about phishing attacks and what to do if one is suspected,” the researchers said in their study.

The researchers built a number of clues into the attack that could have alerted targets’ suspicions, such as mentioning an older laptop than the ones typically used by employees and using a fake web domain, gitlab.company, for the login page.

The email also lacked a secondary communication method, while staff normally wouldn’t be asked to log into a web portal if they were already logged into their work account.

However, the researchers did build the fake page and its email system using security best practices, such as configuring email to use DKIM and obtaining legitimate SSL certificates, in order to make the process appear authentic.

“This legitimate looking infrastructure can be setup by an attacker very cheaply and in some cases for free,” the study said.

The company said it plans to continue carrying out quarterly phishing exercises targeting different sample groups.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

1 day ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

1 day ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

1 day ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

1 day ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

1 day ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

1 day ago