back to article To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Code hosting biz GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page. The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their …

  1. Tom Paine
    Meh

    Not bad

    20% is a pretty good hit rate for a first-pass phishing test (I've run a couple in my time, using commercial services.) The first place we did it started with something like 45% click thru, from memory. Got it down below 10% after a year. Of course, there'll always be someone, sooner or later, which is why it doesn't matter if they give away a password, because they're all using hardware token 2fa. Right kids?

    EDIT: Mildly surprised they were able to send realistic looking phish from a fake domain via GApps

    1. IGotOut Silver badge

      Re: Not bad

      EDIT: Mildly surprised they were able to send realistic looking phish from a fake domain via GApps

      The domain was real. Just not the correct one.

    2. big_D Silver badge

      Re: Not bad

      We ran a campaign last year. We were inundated by calls with people asking if it was a fake and whether they should click on the link or not.

      Most of our users have a lower skill level and, thankfully, they prefer to ask us, whether a link is fake, rather than blindly clicking on them.

      A common attack at the moment is an email saying our web mailer is holding suspected messages and the users should click on the link to verify the held messages. We don't use webmail, so, thankfully, they all asked us wtf is going on. I'd much rather be inundated with calls from cautious users than face a security breach.

    3. hmv

      Re: Not bad

      And the 3.4% rate includes phishing attacks from the clueless - you would expect a half-reasonable security team to come up with a more credible phishing attack than them!

      1. This post has been deleted by its author

  2. IceC0ld

    never ceases to amaze me, after over 20 YEARS of this, we STILL can't rely on users to just take a breath and re-read an Email

    this was always good for a giggle back in the days of XP, and when things like this were new, and the world wasn't that inter-connected

    but ffs, we have had DECADES now, and we still fall at the first hurdle

    the basic user maybe doomed, they may actually doom all of us too, but at least in an ever increasing unreliable world, it's nice to know you can absolutely rely on the absolute unreliability of users

    that, and it means we get to keep our jobs I suppose :o)

    1. Kientha

      Anyone can have a bad day and click on something they shouldn't have especially if under pressure or a phishing email looks like something they were expecting. It also doesn't help that a lot of organisations have legitimate emails that really look like phishing and contain most of the traits you're told to keep an eye out for. One of our vendor partners sent me a meeting invite last week that I was convinced must be phishing but it was legitimate. Bad spelling, suspicious link, not from their usual domain, emotive language.

      1. DJV Silver badge

        One of our vendor partners sent me a meeting invite last week

        I hope you educated them in a suitable manner... with the threat of heavy blunt instruments at the ready should they repeat the offence.

        1. bombastic bob Silver badge
          Unhappy

          Re: One of our vendor partners sent me a meeting invite last week

          even with thunderbird and a non-windows OS, and HTML viewing disabled, if someone sends me an "invite" like that I still get click-on links to accept the invitation. Unfortunately the calendar application (which I use) has that "feature" embedded and I'd have to edit code to disable it.

          I also have to wonder HOW MANY such phishing attempts would FAIL if the click-on link showed up with the REAL URL (insted of a fake one) by viewing the e-mail as plain text instead of HTML.

    2. Robert Grant

      We've become more aware, but the volume of legitimate emails has also increased a lot.

  3. Spicer

    GitLab

    After following some of the links in the story, I'm duly impressed by GitLab's culture of having all their corporate policies public!

    https://about.gitlab.com/handbook/

    https://about.gitlab.com/handbook/security/

    Kudos!

  4. Anonymous Coward
    Mushroom

    Not bad? Users? Policy?

    This is not bad, it is abysmal. These are not the normal unwashed users we rightly deride.

    These are us.

    20% of supposedly knowledgeable developers who are responsible for creating and maintaining the code that the world depends on can't recognize a phishing attack? 74% recognize it as phishy but don't bother to inform security?

    1. Joe W Silver badge

      Re: Not bad? Users? Policy?

      If gitlab has staff, they most likely have a department for HR, or at least payroll, or some management. Then, there's marketing and other... stuff. So not all of those were "us" (I hope). Still, you are right, for an IT company that is too many (well, it is too many for every company - it's just that we should expect a better quota from them).

      I don't really want to think about stats now, but I would put an uncertainty of about 5 people on those numbers for around 75% uncertainty. That would be click rates between 10% and 30%. Maybe somebody else can do the full Bayesian calculation...

      1. Anonymous Coward
        Anonymous Coward

        Re: Not bad? Users? Policy?

        At a guess many staff were working from home that were not previously and to do so rapidly being given access to new tools and equipment. That may have been sufficient to make them more susceptible than they would normally have been.

        1. EvilDrSmith Silver badge

          Re: Not bad? Users? Policy?

          Yup, this.

          Remember, for most of us, IT is the tool we use to do our job, not the job itself.

          WfH means doing our job in strange new ways, and people are probably concentrating more on the basics of their actual job than they normally have to.

          Also, if you normally work in an office, if you get a dodgy email, it's easy to just ask a colleague - 'does this look dodgy'?

        2. Anonymous Coward
          Anonymous Coward

          Re: Not bad? Users? Policy?

          > At a guess many staff were working from home

          No need to guess. GitLab has had a 100% remote workforce since day one.

      2. Terry 6 Silver badge

        Re: Not bad? Users? Policy?

        NO! I agree that they might well be in HR or even lower pondlife, if there are any.

        But they work in a tech company. They should have a better than basic level of awareness at the very least.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not bad? Users? Policy?

          Don't take that for granted... i work in a tech company and HR, marketing and management are just clueless when it comes to anything that doesn't involve gmail or ms word (photoshop for marketing)...

        2. doublelayer Silver badge

          Re: Not bad? Users? Policy?

          I disagree--HR is HR, and whether it's tech or something else, they're going to have knowledge of HR matters and probably not much else; HR doesn't really need to know anything about the product as long as they can understand when people are doing something wrong. What I don't know is who these people were who received the messages. If only fifty went out, it could be basically any subset, as wikipedia estimates they have about 1200 employees.

          If it's fifty people in HR, sales, and finance, it's regrettable but not that surprising to me. If it's fifty developers, we have a major problem.

        3. Anonymous Coward
          Anonymous Coward

          Re: Not bad? Users? Policy?

          From what I've seen recently then the danger can come from tech types who want to demonstrate their superior knowledge over others. Were I work a few months ago someone received a phishing email and rather than following company policy of ignoring it and possibly passing details to IT dept they decided to "investigate" and they downloaded the payload (very carefully they assured everyone in their subsequent email) and did some "forensic analysis" on the contents. They then did a "send-all" email to everyone in the company which included a copy of the phising email and its payload explaining that everyone should be on the lookout for similar emails because they'd done some checks and confirmed that it would be really bad to open the attachment - unless they were super-knowledeable like they were and knew how to do this safely. Needless to say the IT dept weren't impressed and did a reply-all to remind everyone what the compnay IT and security policy stated to do with suspicious emails!

          1. Anonymous Coward
            Anonymous Coward

            Re: Not bad? Users? Policy?

            > From what I've seen recently then the danger can come from tech types who want to demonstrate their superior knowledge over others

            I refrain from calling other people names, with one exception. :)

            Those are the type of idiots who can destroy your company if you don't slap them often enough or better, give them the boot as soon as you can.

            It just goes with their personality so you basically won't get them to change.

    2. holmegm

      Re: Not bad? Users? Policy?

      "74% recognize it as phishy but don't bother to inform security?"

      I don't bother reporting most phishing in general. There's just too much of it.

      I guess a really good looking one that appeared to be from my own employer ... well, yeah, I probably would. You have a point.

  5. Roger B

    When only 12% of the company reported the phishing attempt it makes me wonder how many people in general report the ebay/tax office/americanexpress/paypal in general.

    1. It's just me
      Mushroom

      I've been getting a phish from "American Express" sent through SendGrid about once a week for the last month. I've reported them all to spoof@americanexpress.com and abuse@sendgrid.com but nobody appears motivated to stop them.

      1. JCitizen
        Alert

        Phish report..

        @It's just me

        When I get a phishing email on my Outlook.com web based email account; I never again see the same email, or even close to it, right after I report it. I also get a response from Microsoft thanking me for doing it. I only get a phishing email maybe once a month on average. Other suspicious spam I only get maybe twice a week(ordinary type mostly).

  6. The Mole

    To be fair to them this wasn't a normal phishing attack it was a highly targeted one.

    The main way people spot an attack is if the domain name looks funny, but the name in this case was GitHub - ok with an unusual TLD but in a world where adverts tell you just to Google the site rather than give the domain name what do we expect?

    It's also not helped that many company emails do look like phishing attacks, particularly with single sign on and the use of cloud based services which means the it department might well be managing this through a different domain.

    The only other red flag is that a new laptop is too good to be true.

    1. Fading
      Facepalm

      I have been caught out....

      Reporting a suspicious email that was an actual company email (even had the suspicious spelling mistakes) ....

      1. Cuddles

        Re: I have been caught out....

        This is probably the biggest issue with spam and phishing. It doesn't matter how much you educate people about what suspicious communications look like when all too many legitimate ones look equally suspicious.

        1. Terry 6 Silver badge

          Re: I have been caught out....

          Classic examples are when banks are sending you security advice emails one week, and "click here and log in for more information about our great new offer" emails the next.

      2. James Wilson

        Re: I have been caught out....

        Keep reporting them. When enough people do then the InfoSec people can show the pointy-haireds and say "look, you're training your staff to get pwned, here are some examples of where that's cost companies millions". We haven't got the the point where all genuine company emails have the right domain etc. (it appears some people have worse turning circles than supertankers) but we do at least now have an intranet page listing the legit-but-dodgy-looking ones and nearly-all the genuine ones have a message in them about checking that page first. It ain't perfect but it's progress.

        Caveat: I ain't an InfoSec expert, just a code monkey who likes pointing out where things are wrong.

        1. Yet Another Anonymous coward Silver badge

          Re: I have been caught out....

          I've been ignoring all these obviously fake company emails telling me to log into Microsoft Teams, now I get a new one telling me that we have switched form Teams to Yammer in order to be customer focussed synergy leveraged with dynamic upside while delighting stakeholders - so I'll ignore these as well.

          As a bonus I don't have to go to any meetings

    2. Anonymous Coward
      Anonymous Coward

      Hmmm

      We do phishing simulations and we have a lot of progress in reducing click through, but all ours have to be relatively generic.

      I know the bad guys will do as much as they can to make their phish seem realistic, using real company logos and images stolen from the targets web site, whereas companies tend to be limited to being more generic (or totally made up) for fear or upsetting (and getting sued) by others.

      I wonder what the rate would have been if the phish email hand been less to tailored to GitLab. It would be interesting to see how many of the people who clicked through did so because it was branded to the company, (as The Mole suggests) and they thought it was safe, over more generic links they may have reported.

  7. cantankerous swineherd

    the problem is email, not people.

    1. Anonymous Coward
      Windows

      "the problem is email, not people."

      No, surely it's their keyboards or perhaps their hands. That's it: cut off their hands.

      1. big_D Silver badge
        Coat

        Alexa, follow the link in my email...

    2. Terry 6 Silver badge

      The problem is partly companies.

      A strict...."We will never send you official emails with links that ask for your log-in details" policy should be a basic. Internally and externally. Admin and sales/ marketing.

      Every time someone gets an email with a link that asks for a username etc.they're being trained, Pavlov style, to respond. The first 100 times may well be legit. But the 101st may well not be.

    3. hmv

      Nope.

      These kind of attacks don't require email and in fact predate computers.

      That's not to say email couldn't be made a lot better.

    4. doublelayer Silver badge

      The problems are email and people. Email can be modified to do some things. No impersonation is a good start. Wouldn't help in this case--they didn't impersonate, they used a valid misleading domain. Showing link contents before going somewhere would be nice. Probably wouldn't help in this case. Subsetting HTML so it's harder to do visual tricks would probably annoy a lot of people, but some of those people are the people who send multimegabyte messages overloaded with logos, so I'm fine with it. Probably wouldn't help in most cases because if everyone can't do it, and scammers can't do it, then they still look the same.

      In the end, someone has to decide whether to click the link or not. The email system can try to point out potential problems, but automatic means can't block everything malicious. While email needs some updates, it can't and won't fix stupid user syndrome.

  8. Anonymous Coward
    Anonymous Coward

    Did they copy a genuine phishing gitlab email, or just send their own template that users are used to seeing?

    Yes it's bad they didn't recognise the domain change, but usually phishing emails are so poorly designed compared to the real one that it's so easy to spot for people like us.

    Also it's a very small testing pool... just 50 people.

    At least they were using Gmail for what it's supposed to be used for.... fraud.

    1. Anonymous Coward
      Anonymous Coward

      > Yes it's bad they didn't recognise the domain change

      It's only bad if there had been a previous 'all staff' directive that said something like "genuine requests from the IT dept. will come from domain xxx.gitlab.yyy.'

      Anything else gitlab.zzz just looks like the marketing department were allowed to let loose another bright idea.

    2. Sometimes an Engineer

      I would beg to differ. Recently (within past year) I've been seeing increasingly sophisticated phising emails (mainly for personal banking admittedly). Some of them have the templates and logos nearly identical, and to top it all off they even have the disclaimers saying if you don't believe an email is genuine, don't click the link. The only reason why even realize these are not legitimate is because the spam filter caught them as having incorrect headers.

      Of course this is not helped by the banks telling us not to click links in emails..... and then nearly all their official emails having big shiny links to click on.

      1. doublelayer Silver badge

        Very much this. It's really important for us and basically everyone else to realize that, while a lot of phishing emails that have come in and will continue to come in are terrible and obvious, there can and will be more sophisticated ones. It takes longer to get the logos into the right place, make the login page work the same, get text checked for spelling, grammar, and naturalness, and do the work behind other links in the message that a user might check for authentication, but that work can be done. I've seen several not bad attempts. None of us is immune to a message crafted well enough.

        1. Terry 6 Silver badge

          Some of the fake TV License ones look very convincingly official And I'd guess an awful lot of non-tech savvy/non suspicious minded cynical bastards ( I think there's an overlap) would be worried enough to click on the link and put in their bank details.

        2. JCitizen
          Coffee/keyboard

          @doublelayer

          Indeed! Back when PayPal used to put a lot of active graphic content in their emails. I received one that made it through Microsoft filters, because the miscreant copied the images correctly but they weren't active, so it made it to my inbox. Now of course, this email also had my full name on it (probably from the Equifax breach), and it fooled me thoroughly. However, after clicking on it, and noticing a totally legit looking login page, my password manager refused to fill the forms. SAVED BY MY PASSWORD MANAGER! *PHEW*!!!

          I was never so embarrassed in my life! Needless to say, I reported it to PayPal's spoof address, and the technicians at PayPal were impressed with the caginess of this spoofer! I no longer get active image communications from PayPal, but I don't click on the one link they have either. I've also set my filter to exclusive, which is as high as I can go.

  9. Anonymous Coward
    Anonymous Coward

    It doesn't help when companies use multiple domain names. For example, I do business with Zurich Municipal insurance, who have used name@zurich.co.uk for ten years. This year my renewal came from anothername?zurichtogether.co.uk, which turned out to be legit. But why the hell change?

    1. Mr Dogshit

      Yep. Got one from my local council. It invited me not to go to https://localcouncil.gov.uk/counciltax but https://paymycounciltax.net or something stupid. Probably was legit, but I ain't clicking on it.

    2. Graham 32

      Because the marketing droid sees everything as marketing, even the domain name. The IT dept probably said "FFS!" but couldn't get it overturned. And I'm sure if you asked they would say "security is our top priority".

  10. Tony W

    Just click this link

    Still far too many legitimate emails that look like phishing. Just now received one from Ebico energy supply company. 'Don't reply to this email, just click this link. ' If it had been fake it could get a username and pw, and there are enough people who re-use those to make it a worthwhile attack.

  11. Anonymous Coward
    Anonymous Coward

    Not helped by companies themselves

    A few months ago I started a new job at <companyname>. Where all internal emails use the usual yourname@companyname.com format.

    A few weeks after joining, I get an email from 'companyname via Workplace <notification@fbworkmail.com>'. We all (should) know that the name part of these formats of emails addressees (the 'companyname via Workplace' bit) is just free text, so cannot be trusted.

    As I've never used or even looked at Facebooks' Workplace site before, the fbworkmail.com domain was not familiar to me, and so this email immediately looked suspicious.

    All images in the email were blocked by Outlook by default (company laptop with Office365 installed), so added to the suspicion (surely if this was a legit email, then policy would have allowed the images by default for that domain?).

    All links in the email (many of them,), went to a 'clicktime.symantec.com' URL, these were huge in length and included embedded data in them, such as my company email address, and seemed to be specifically designed to obfuscate the real target URL. Symantec is not used by the company for AV etc. So looked odd at least, even though I know of Symantec itself as a company.

    At no point did the company contact me to let me know that they were using Facebook Workplace, or to expect anything from the fbworkmail.com domain.

    At best this looked like spam, at worst it looked like a phishing exercise.

    I reported it, turns out of course it was legit!

    How are users (especially none technical users) expected to stand any chance of recognising a real phishing attack, if this is the state of official emails!!

    Dear Company <insert name here>, make sure all your official communications use companyname.tld at all times, no exceptions allowed.

    Also make sure all links in all emails are to internal company sites and/or using companyname.tld,again no exceptions allowed.

    If you do need to reference external URLs, then create an internal page (i.e. sharepoint page or whatever you are using) with the details on it, and link to that page instead.

    People would quickly get used to everything being to/from/linked to companyname.tld and would be far more likely to then notice even the most sophisticated of phishing attacks.

    1. diguz

      Re: Not helped by companies themselves

      As many people said in other comments: this is what IT folks would do and preach, but unfortunately the decision to use other methods for spamming all the staff about the next company event, like fbworkplace or other mailing list services, are made by the marketing/HR departments, who don't give a single "f" about security or best practices, but just want the least amount of clicks to get the job done.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not helped by companies themselves

        Our parent company's HR/Benefits/training etc site is linked from our intranet but is hosted on a url something like: performance24.succesfactors.workplace.eu !!!

  12. Anonymous Coward
    Anonymous Coward

    I rely on 1Password for inputting all my passwords.

    It will input with a click on most sites and offers the password only for the domains that you tell it to match.

    So it would probably alert me to this kind of attack because the password would not be offered automatically.

    After seeing the domain mismatch I'd start to smell something phishy.

    I hoipe other password managers can do this. It's a security feature as well as a convenience.

    1. Anonymous Coward
      Anonymous Coward

      > I rely on 1Password for inputting all my passwords.

      I also rely on 1Password: "1234" to be specific.

      Yes, yes, I'm leaving.

      1. Yet Another Anonymous coward Silver badge

        That's the code on my luggage !

        1. Anonymous Coward
          Anonymous Coward

          Oh! That explains why those pants did not look familiar to me.

  13. TeeCee Gold badge
    Facepalm

    Well, obviously.

    ...click rates vary from 7 per cent to 45 per cent, depending on the survey.

    Ask people if they would click on an iffy link and presto, a whopping 93% of them say; "Oh no, not me, I'm way too smart to do that.".

    Send them an iffy link and there's yer 45%.

    Also:

    Many moons gone around these parts there was a story on how Mozilla, having sent their user base a prompt to update their Flash plugins, were bemoaning the fact that only 35% of them had bothered to do so. A shade over six months later there was (inevitably, as I saw it) another story on how a coincidental 35% of FF users had been pwned by a fake upgrade.

  14. Anonymous Coward
    Anonymous Coward

    Good exercise

    We do phishing test quarterly at our bank on staff. Pretty good ones to. Our click rate is almost 0. But we do this all the time, offer training, and rewards.

    My team gets lots of mail forwarded to us every day as Potential spam, which is great. We update our Email filters almost daily with the data they send us.

    I don't want to call our staff paranoid, but they all know we are in this together. Mostly older women that are suspect of fraud all day long.

    Maybe the GitHub people should ask old women how to read emails?

    1. Anonymous Coward
      Anonymous Coward

      Re: Good exercise

      > Maybe the GitHub people

      Maybe, but this article is about their competitor, GitLab.

      Your attitude is the right one though. You see your usual share of arrogant "that'll never happen to me" / "how can other people be so stupid" share of idiots here. Well, they are part of the problem. The sort of approach that you describe is how you get results in practice.

  15. Anonymous Coward
    Anonymous Coward

    Yep that's good.

    I got a 26% click (fail) rate when I did this a few years ago.

    I was unable to continue the testing becasue the teaching unions protested that their members were being entrapped by this (no action was taken against any person who fell for the test phish).

    Schools got hit by ransomware about three weeks later.

    We are restarting this now, unions have been told to fuck off and grow up already.

  16. twiki

    My employer phishes me monthly. Each time I get a suspicious email, I do a whois and it appears professional security companies are the only ones who actually register useful information. I go to their websites and it explains they are a security company

    I do not report this to my IT department as I cant be raised.

    My colleagues look at then and go "not again"

    So one should not read anything into low reporting rates.

  17. ThunderCougarFalconBird

    The company I work for does stuff like this regularly. If you get a phishing email an *DO NOT* report it to security, then that's a demerit. If you open the email and click on any of the links in the email, that's a demerit. If you expose any secure information like passwords or confidential information or documents, that's a demerit. You are only allowed 3 demerits (a 3 strikes rule) After your 3rd demerit, you are escorted out of the building. I only know of one employee where this happened to them. I was working with her on an issue and I said I'll send a test email. She asked not to because she was already at 2 demerits and as a result, she doesn't open emails anymore...well, a week went by and I saw her out in the parking lot with a box of her stuff. She later told me she had gotten her 3rd strike that day and was gone! Oh well...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like