GitLab Hacks Own Remote-Working Staff In Phishing Test

Company finds 20 percent of its all-remote staff responds to phishing message by exposing user credentials, raising fears about the work-from-home future

Software development tools start-up GitLab has carried out a targeted phishing campaign on its own remote-working staff, finding that one-fifth of those targeted exposed their corporate login credentials.

The study comes at a time when more employees are working from home during coronavirus shutdowns around the world.

Facebook and Shopify said last week they would bring in formal policies of allowing staff to work remotely long-term, while HP Enterprise said it expects “at least” half of its employees never to return to an office setting.

These conditions have raised security fears, with Google, Microsoft and others warning of dramatic increases in phishing campaigns targeting corporate workers.

Remote risk

GitLab makes web-based software development tools that centre on the Git distributed version-control system.

The company was founded by Ukrainian Dmitriy Zaporozhets and Dutch citizen Sid Sibrangy, and while its headquarters is in San Francisco, its staff of nearly 1,300 work in 67 countries and regions.

It claims to be the world’s biggest all-remote company.

The firm’s security team said it selected 50 staff at random and sent them a targeted phishing email claiming to be a legitimate laptop upgrade offer from the GitLab IT department.

Staff were asked to click on a link to accept the offer, and were directed to a web portal to log in.

Those who entered their credentials were redirected to an online corporate handbook that explains how to identify a phishing attack.

In all, 17 of the targets, or 34 percent, clicked on the link, while ten, or one-fifth, entered their credentials.

Image credit: GitLab phishing
Image credit: GitLab

Suspicion

Only six, or 12 percent, reported the email as suspicious to the security team, leading the researchers to think they needed to improve their communications around phishing attacks.

Security Team should communicate to all GitLab team members on a more frequent basis about phishing attacks and what to do if one is suspected,” the researchers said in their study.

The researchers built a number of clues into the attack that could have alerted targets’ suspicions, such as mentioning an older laptop than the ones typically used by employees and using a fake web domain, gitlab.company, for the login page.

The email also lacked a secondary communication method, while staff normally wouldn’t be asked to log into a web portal if they were already logged into their work account.

However, the researchers did build the fake page and its email system using security best practices, such as configuring email to use DKIM and obtaining legitimate SSL certificates, in order to make the process appear authentic.

“This legitimate looking infrastructure can be setup by an attacker very cheaply and in some cases for free,” the study said.

The company said it plans to continue carrying out quarterly phishing exercises targeting different sample groups.