May 27, 2020
It really pays to take special note of domain names as this recent experiment highlights.
GitLab is a popular service where developers can store their code and work on coding projects with a team. The powers-that-be at the company decided to emulate a targeted phishing campaign against its own team members to see how many would take the bait.
The aim of the exercise was to see how many would expose their GitLab.com credentials. Being an uber-geeky sort of service, you'd think few would fall for such a ruse, but that wasn't the case.
A random sampling of 50 GitLab team members was selected and 17 clicked on the phishing link in the email. Of those, 59% exposed their credentials. Just 6 of the 50 reported the email as being suspicious.
It wasn't a particularly tricky campaign used either. The lure was the promise of an "upgraded" notebook computer in an email sent to the targets - all they had to do was click on a link to gitlab.company and verify their credentials.
There were various flags that all was not as promised - such as the email mentioning an older model of Macbook Pro than what most users already had. The biggie was gitlab.company isn't an official GitLab domain, but the landing page was made to look like the company's login page.
Similar-sounding or looking domain names (aka lookalike domains) are commonly used in targeted phishing campaigns - it's why it pays to take special notice of a domain name; not just in a link, but also what appears in a browser after clicking on it.
No doubt there's a few red faces among the GitLab team, but the company has performed a valuable service in releasing details of this exercise publicly and the lessons from it should be heeded by all businesses.
To avoid phishing attacks using lookalike domains, companies could register their domain in all available extensions; but that task has been made all the more difficult and expensive since the explosion of New generic Top Level Domains (ngTLDs) over recent years. Where once upon a time there were just a few hundred, and most of those country specific that couldn't be registered by outsiders, there are now around 1,500 - with many of those available for registration by all.
The key takeaway from this is education - no matter how tech-savvy management and staff may appear to be.
More on GitLab's phishing experiment can be found here, including screenshots of the email used. By the way, there are tools available for businesses to run their own tests - one is GoPhish; which was used in this exercise.
Have a web site or blog? Get our free domain news widget.
How to register a name: Enter your choice in the search tool and click 'GO'. If after the check the domain names search results show your choice is available, you will then have the option to proceed to purchase registration; which is a very quick and easy process - start a search and find your ideal website address now.