Welp, at least that’s better than industry averages, says code-hosting biz

Source: To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials.

The GitLab Red Team – security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google’s GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab’s IT department.

“Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain ‘gitlab.company’,” explained security manager Steve Manzuik in a GitLab post.

“While an attacker would be able to easily capture both the username and password entered into the fake site, the Red Team determined that only capturing email addresses or login names was necessary for this exercise.”

Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.

Download a CyberAware Cheat Sheet