GitLab runs phishing test against employees – and 20% handed over credentials

This is very disturbing. If alleged professionals running a high profile web site have a 20% failure rate, how can the security community expect the rest of the world to do any better?

I remember years ago reading about an e-mail virus (Beagle, often known as Bagle) that was infecting a lot of computers. When the big-name e-mail providers started scanning for and deleting the messages, the authors switched to a novel approach: The virus e-mailed an encrypted zip file containing the malware, placing the password and installation instructions in the body of the message.

The virus kept spreading rapidly despite the fact that people had to manually save the attachment, unzip the encrypted contents and deliberately run the malware.

At that point, I became convinced that a certain percentage of the population really is dumb enough to do anything a random e-mail message tells them to do. There doesn’t exist any cybersecurity product that can protect a computer against that level of stupidity.

Back in college, a big joke was the “manual virus” which tells you to forward the message to everybody in your address book and then reformat your hard drive. I don’t think jokes like that are funny anymore.

Update: I was able to identify the virus in question. I linked to a news article (from July 2004) about it, above.

Seriously. A lot of the consultants I work with on TidBITS Content Network stuff resell IDAgent, which has a service that provides these sort of simulated attacks and ongoing, interactive training. I don’t know how effective it is, but it’s definitely better than nothing.

One of the real problems we face is that humans default to trust. Malcolm Gladwell’s recent book Talking to Strangers explains that extremely well. It turns out that very, very few people are suspicious most of the time because society would grind to a halt if such behavior were more common.

But on the Internet, where it’s possible to scale attacks to unimaginable numbers, bad actors can easily take advantage of this fact of human nature. And in many cases, like the Nigerian scams, they make the scams quite obvious because they want to catch people who are truly gullible. It’s just sad, and I don’t think there’s any real solution.

This is so true. I’ve been struggling to help my 79-year-old mother to deal with this. She got an email the other day supposedly from my step-brother. It was clearly not from him: a vague subject (“Try this!”), only a gibberish link in the body followed by his full name (David, not Dave), no personal message, and not from his email address.

The site was selling some sort of fake medical crap (supposedly endorsed by Dr. Oz) and since my mom has some health issues, she bought it. I couldn’t believe she could be so naive, but she was like, “It looked fishy, but Dave sent it, so I figured it must be good.”

Unfortunately, she only told me after the product had been shipped. Fortunately, the company was somewhat reputable and quickly reversed the charge when I complained. (She refused delivery of the meds when they arrived.)

Since my mom has trouble buying stuff from Amazon, the easiest shopping site in the world, I was shocked she was able to give her debit card number to this site without calling for my help!

1 Like

My employer uses ProofPoint (formerly Wombat Security) for this sort of thing. Every month or so, I get what appears to be a phishing attempt in my mailbox. If you click on the link, you are taken to a page which tells you that had this been a real attack, you could have become a victim.

Of course, being in an office full of engineers, many of us looked at the mail’s source, ran a “whois” on the link’s domain, saw that it was from Wombat Security, and then (concluding it to be safe), clicked on it to see what would be presented.

I would love to find out how many of GitLab’s tests “failed” in this manner. Assuming, of course, that the the test didn’t actually involve asking people to divulge access credentials, and that people gave legitimate credentials to it - if people did that, then there’s no excuse.

1 Like

Sometimes the good guys strike back, like Harry Potter did:


There are so many human behavior traits that, at least overall, are beneficial to humans, but can lead to disastrous outcomes when applied in the wrong situation, such as confirmation bias: on the one hand, it’s a good thing that we don’t change opinions every time we hear conflicting information about a topic. On the other hand, if we’re wrong, or just can’t grasp massive, global challenges such as global warming or a virus pandemic, sticking with our very own established truth literally costs lives.

That is why I consider phishing or, more generally, so-called “dark design patterns” so repulsive: a computer virus usually does damage with simple, brute-force methods, whereas social engineering for phishing, etc. intentionally applies human psychology towards evil goals.

What’s truly mind-boggling is that people still support companies that they know to apply such dark patterns time and time again. cough, cough Facebook cough, cough