Best way to identify phishing website?

Hola!

I am encountering an issue in relation to identifying phishing websites.

https://gitlabonezix.es:443/

This above website contains a log in form for “GitLab”.

However, when contacting hosts/registrars, they are responding indicating that the website is legitimate and that the person has made “gitlab” public facing?

So… What is the best way of determining whether a website with a GitLab login is bogus or legit?

This is a self-hosted GitLab EE installation.

The official GitLab.com instance will be at GitLab.com

Anything else will require a account and set of credentials to access. GitLab.com credentials should not be used on any domain other than GitLab.com

1 Like

Is it not asking for GitLab login details?

It is asking for credentials to that particular self-hosted GitLab instance.

There are thousands of self-managed GitLab instances with public-facing login pages, each one would require a separate account to access it.

Credentials for GitLab.com entered into a self-managed GitLab login screen will not work.

To prevent risk of phishing attempts on GitLab.com account:

For security best practices, always use strong, unique passwords.

2 Likes

Ok so now for my original question:

How do you distinguish between this website, and a fraudulent phishing website?

The URL must be gitlab.com over HTTPS.

If there’s no ( :lock: https://gitlab.com ) in the URL box, do not enter GitLab.com credentials there.

image

Bookmarking the sign-in page can reduce risk of typo-squatting.

Setting up multi-factor authentication is your best bet to play it safe and ensure credentials alone are insufficient to access your account.

It is worth noting that GitLab codebase does not capture or process plaintext passwords, a malicious actor would have to edit the code to inject a key logger or something along those lines for the password to be “captured”.

1 Like

So the URL in the original post is a phishing website then?

@Phish no, its a self-hosted copy of the software we operate as SaaS on GitLab.com

GitLab.com runs the same codebase as the self-hosted GitLab product. The sign-in page for GitLab.com and self-hosted GitLab look the same because it’s the same source code behind the HTML rendered in the browser.

With self-hosted web applications, the URL is the source of truth on what credentials are appropriate to use. Using GitLab.com credentials on a self-hosted GitLab has the same functionality as using Gmail credentials on a self-hosted GitLab - it doesn’t work (assuming you don’t reuse username/password across sites).

For a self-hosted GitLab sign-in page to be used for phishing, it would have to capture credentials in a way that they can be captured and transmitted in plaintext. This functionality is not part of GitLab’s codebase, credentials are not captured and transmitted in plaintext upon sign-in. For a phishing attack to be successful, someone would have to spoof a GitLab sign-in page with an embedded keylogger, serve it up at URL other than https://gitlab.com, and have the victim overlook the discrepancy in URL.

It’s similar to how WordPress.com has a sign-in page that looks like the sign-in page on as a self-hosted WordPress installation. There’s no benefit or reason to enter and submit account credentials for WordPress.com/log-in to mywordpress.gregsblog.com/log-in, even though the login pages may look the same in the browser. If you do make a mistake and enter the credentials into the self-hosted WordPress, your username/password won’t be stored and transmitted to a hacker, the credentials simply just don’t work.

To prevent risk of phishing for GitLab or any important account, I strongly suggest you:

2 Likes