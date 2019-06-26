Phishing attacks are common and you likely know how to spot one — misspellings, the sender email doesn’t match the email address when you hover over it, a dire threat or a too-good-to-be-true reward. Even if the email looks like it comes from a colleague or friend, you know not to click on links or open attachments if there’s anything at all suspicious about the email.
Last week, the international event company I work for was hit with a rash of emails from employees to not only other employees, but to customers as well, saying an invoice was overdue. Because there was no mention of a vendor and the sender was not on my team, I sent it on to the IT department without opening the attachment. Indeed, it was a scam. But now there is a new entry point for attacks, one that could easily go unidentified by even the most vigilant internet user.
In a blog post last week, internet security firm Kapersky warned about phishing in your calendar program. Throughout the month of May, Kapersky observed unsolicited pop-up calendar notifications appearing for Gmail users. They found this was the result of “a blast of sophisticated spam emails sent by scammers.” The emails exploited a common default feature for people using Gmail on their smartphone. In Gmail, when a user receives an email that includes a calendar event invitation, it automatically adds it to the user’s calendar and the subsequent calendar reminders are triggered.
“Spam and phishing threats that exploit non-traditional attack vectors can be lucrative for criminals, as they can often successfully trick users who might not fall for a more obvious attack,” Kapersky said. “The scam is particularly effective because the calendar entries and notifications stem from trusted apps like Google Calendar.”
While the delivery method is new, the tactics are the same as the ones we see in typical email scams. In this case, the phisher sends an unsolicited calendar invitation carrying a link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s home screen, and the recipient is encouraged to click on the link, which promises to award a money prize in return for completing a simple survey. To receive the prize, the user is to enter their credit card details and add some personal information, including their name, phone number and address. Like with any phishing email, instead of being used to deliver the prize, the victim’s information went straight to the scammers. The sensitive information could then be used to make fraudulent charges.
For the scammers, the calendar attack has an advantage over a simple email attack. They could set up multiple reminders about the so-called event, which only stop when the invitation is deleted. “So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time,” Kapersky said.
The solution to this particular calendar scam is a simple one and involves changing the settings for Google Calendar. When you’re in your Gmail account, look for the array of small boxes in the upper right corner to see other Google products. Click on Calendar and then open settings by clicking on the gear icon. Under Event Settings, you will see “Automatically add invitations,” which is the default setting. When checked, this will add all incoming invitations to your calendar regardless of whether you’ve responded. Instead, select “No, only show invitations to which I’ve responded.” Proceed to View Options and uncheck “Show declined events” to prevent malicious invitations from remaining in your calendar.
While this is an easy fix, calendar phishing may just be in its infancy. Scammers could use the calendar to for other attacks, such as infiltrating Gmail automated events that are generated when you receive a confirmation for a flight, a restaurant reservation or tickets to a concert. While Outlook hasn’t been used in this type of phishing scheme, it doesn’t mean that it won’t be used in the future.
Just like with email, you’ll need to be vigilant about events that come in from an unknown source — and perhaps from a seemingly known source whose calendar has been hacked.