Following a test, 20% of Gitlab employees are having a phishing attack
Phishing or phishing is a well-known technique in the cybercrime industry.
It's literally classic of the genre, which allows the malicious cyber to collect information about unwary Internet users.
This article will also interest you: A phishing campaign against users PayPal
Information that can often be sensitive or confidential. These include login credentials or any data that allows authentication of a particular person during any connection. This technique and often used through messaging tools whose users of digital services tend to use the most. This could be, for example, the email, which alone constitutes a large majority of phishing campaigns. It could also be classic messaging apps such as Messenger or Whatsapp, or simply SMS.
To succeed, the cybercriminal will send a message in order to attract the user to a fake website. The trap message usually relates to a common theme such as the covid-19 we live in today, or are focused around games that will allow the targeted person to earn money. If, for example, the latter lacks vigilance, and clicks on the link proposed in the messages that it receives, it will be written to a site that is managed by cyber-prisoners. They will take the opportunity to ask them to fill out forms that will then allow them to retrieve the information they are interested in. Stan Adkens, noted: "Phishing attacks are designed to steal identifiers or trick the recipient into downloading or executing dangerous attachments. It is a technique used by fraudsters to make the victim believe that he or she is talking to a trusted third party. »
For those of interest to us in this story, it is simply note that GitLab tends to perform phishing tests on its employees every quarter. But each time, the result gives the impression that it is virtually impossible to eradicate this phenomenon. The company's last test was last week. In this phishing campaign, the company's goal was to target certain employees to obtain certain information such as gitlab.com identifiers. The teams were tested by e-mails received in a rush that looked like a completely normal commercial communication campaign. And of course some got caught up in the game.
The company has meant an important fact, the goal is not at all to punish people who do not follow digital hygiene measures properly, but in a sense to make them aware, to show them that the fault comes largely from them, in order to get them back on the right path. It goes with the security of the company together.
The phishing simulation did not take into account some details, what is the additional defense, including multi-factor authentication. The test team has put the GitLab.company domain online. They used G Suite to dump corrupt emails. The services and domain name used in this context have been configured with SSL configuration to give the image to the mails as legitimate emails from the company. GitLab pointed out that such infrastructure can be set up by a free and effortless cybermal.
Of the fifty employees targeted in this test, 17 were caught by the trap. Unfortunately, they clicked on the proposed link. As a result of this act they were automatically redirected to a manual designed by GitLab to raise awareness against phishing. Victims will then be encouraged to take training courses or solicit the security team to provide some recommendations so that this does not happen again. In addition, 6 of the targeted people automatically reported the mail as malicious after receiving it. Their intuition on the matter was the right one.
GitLab's example on this test highlights a certain fact. Phishing is always something difficult to fight, to see eradicated. Chris Rothe, the founder and product manager of Red Canary, a threat detection company, noted a little bit: "Phishing is a great example of something that can't be totally prevented (…) Because e-mail is an essential business function, it must be optimized for its commercial function and not for security in most cases. There are many strategies that IT teams can use to reduce the number of successful phishing attacks – blocking emails, counting and analyzing attachments, awareness training – but there is no 100% solution."
Now access an unlimited number of passwords: