Today I received this email.
The remarkable thing about this email is that I never signed up for a GitLab account. Not even to mention the obvious red flag that it was not sent from the gitlab domain. It could be mistaken for a self-hosted solution, except that I never signed up for it, much less changed a password. My guess it is ultimately an attempt to steal source code.
So I decided to learn something about this attacker. I never went to the links in the email. But I looked up the domain, which was registered by an international registrar called Domain Control. I looked up the server IP, which is a Digital Ocean server located in Germany. This mainly tells me what kinds of services the attacker is familiar with.
I decided this was probably a malicious dev who is mining data from other dev communities I happen to participate in. I do not recall disclosing which source control I used (not GitLab currently), so it was probably just a safe bet to use for attacking multiple people. Maybe it was just the service the attacker is most familiar with and already had emails in their own inbox upon which to base the above forgery. Because it is pretty close to GitLabs own email format, which is pictured below.
The obvious point is to never trust email links, except when you are expecting an email. (As in, you just went on their site and triggered a password reset.) If you receive an unsolicited email that looks ok, still don't trust it. Especially if it is informing you that you need to do something on an account you do really have, still do not click on the links in the email. Instead, open the browser and go directly to the website itself. If there is a legitimate account problem, you can log in and check that yourself.
But the more relevant point is to be careful and aware of what you share about yourself. It can be used against you. It can be used to target you for attacks. It can be used to manipulate you into a critical mistake, such as a convincing phishing email leading to your source code being stolen. Share carefully.
Parting note: This is the reason that data privacy is an important issue today. Social media providers typically use the data you have shared on their service to target you for ads. But simply collecting and correlating this data to you creates a gold mine for bad actors. If this seemingly inane data falls into nefarious hands, it could be used in exactly the same manner (to target and manipulate you), except with the goal of attacking/stealing/destroying instead of advertising.
Haven't signed up yet? 🤯