Commit 5bfbe21d authored by Steve Manzuik's avatar Steve Manzuik
Browse files

Update rt-014 - Phishing Campaign/README.md

parent 5fbaa356
......@@ -44,23 +44,23 @@ For this exercise Red Team obtained the domain name gitiab.com and configured it
The phishing framework we leveraged for this exercise is an open source project known as GoPhish. We hosted the tool on a small linux system in our GCP infrastructure. GoPhish provides a flexible framework that is highly customizable and has built in capabilities to track and capture responses to phishing campaigns.
## Attack Narrative
For this exercise we randomly selected 50 GitLab team members as targets of the phishing email. The email, screenshot below, was designed to appear to be a legitimate laptop upgrade offer from GitLab's IT department. Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain "gitiab.com". While an attacker would be able to easily capture both the username and password entered into the fake site, the Red Team determined that only capturing email addresses or login names was necessary for this exercise.
This attack narrative focuses only on the new template used and will not outline the previous template that was also sent. Please review [RT-011](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/RT-011%20-%20Phishing%20Campaign) for specifics on the previous template.
For this exercise we randomly selected 300 GitLab team members as targets of the phishing email. The email, screenshot below, was designed to appear to be a legitimate Expensify offer from GitLab's IT department. Targets were asked to click on a link in order to accept their corporate card and this link was instead a fake GitLab.com login page hosted on the domain "gitiab.com". While an attacker would be able to easily capture both the username and password entered into the fake site, the Red Team determined that only capturing email addresses or login names was necessary for this exercise.
![Graphs](./data/RT014_Graph.png)
Of the 50 phishing emails delivered 17 recipients cicked on the provided link. Of those 17 recipients, 10 of them attempted to authenticate to the fake site. Only 6 recipients reported the suspicious email to SecOps. Those that entered their credentials were then redirected to the [GitLab Handbook](https://about.gitlab.com/handbook/security/#phishing-tests).
Of the 300 phishing emails delivered 12 recipients cicked on the provided link. Of those 12 recipients, 5 of them attempted to authenticate to the fake site. Only 13 recipients reported the suspicious email to SecOps. Those that entered their credentials were then redirected to the [GitLab Handbook](https://about.gitlab.com/handbook/security/#phishing-tests).
### Phishing Email & Website Samples
![Phishing Email](./data/RedTeamPhishEmailMay2020.png)
![EmailDetails1](./data/EmailDetails1.png)
![Phishing Email](./data/phishingemail.png)
![EmailDetails2](./data/EmailDetails2.png)
![EmailDetails1](./data/phishheader.png)
Targets could have identified that this was in fact a phishing email the following ways:
- The email address was it-ops@gitlab.company - not a legitimate gitlab.com one. Similar-sounding domain names are a common technique used in targeted phishing campaigns.
- The email address was it-ops@gitiab.com - not a legitimate gitlab.com one. Similar-sounding domain names are a common technique used in targeted phishing campaigns.
- The email references an older model of Macbook Pro than what most users already have. Subtle factual errors are often indicators of an illegitimate source.
- No secondary communication method, such as Slack or a company call, provided an announcement regarding any laptop upgrades.
- Email message header details in Gmail can be viewed (Open the message, then go to the More option in the upper right, then choose the Show Original option) to give specific clues as to the methods by which the email was generated. Keywords such as "phish" and multiple references to the illegitimate top level domain gitlab.company are key indicators.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment