Phishing Scam puts malicious links in Google Calendar

August 26, 2019
Mark

AT THIS POINT, you’re probably keeping an eye out for possible phishing messages in your email. You know the drill: If you have any doubts, don’t click links or download attachments. That’s difficult enough to adhere to in practice. Now, thanks to new findings from the threat intelligence firm Kaspersky, along with phishing texts, phishing tweets, and phishing pop-ups, you need to worry about one more thing: phishing in your calendar.

Phishers have realized that they can take advantage of seemingly innocuous calendar settings to plant their own events laced with phishing links on victims’ schedules. In many cases, this also triggers notifications automatically, further legitimizing the malicious events. The scam is particularly effective because the calendar entries and notifications stem from trusted apps like Google Calendar.

The attack comes simply from scammers sending a wave of calendar event invites to Google Calendar users. The goal is to take advantage of a default setting that the targets’ calendars will automatically add any event and send a notification about it. So scammers preload the text of the event entry with a phishing link and a short line to entice targets to click.

Kaspersky researchers mainly observed phishers pushing links to fake surveys with short event descriptions like, “You’ve received a cash reward,” or “There’s a money transfer in your name.” The idea, of course, is to get victims to click and then enter personal information into the malicious form. Sometimes the forms trick targets into entering credit card information by asking them to send a small amount of money to enter to win a much larger sum.

“For the calendar attack, the scammers use a prepared email list to send their fraudulent invitations,” says Maria Vergelis, a security researcher at Kaspersky who has been following the method. “They can also set the number of reminders to deliver the same message many times until the desired link is clicked or the invitation is deleted. And such an invitation automatically adds the notifications to one’s calendar. The delivery method is quite new and growing.”

Phishers could use the same calendar event strategy to push all different types of phishing links, perhaps posing as an event planning or RSVP form. Attackers have similarly ridden on the legitimacy of Google services to distribute malicious links that appeared to be benign Google Docs links.

The special thing about the calendar phish is the distribution method, says Oren Falkowitz, CEO of the phishing defense firm Area 1. “This type of phish is pretty common—the novel part is the potential to message so many people.”

In addition to the usual phishing advice (stay aware and vigilant!) Google Calendar users can also protect themselves against unwanted invites through the app itself. Open Google Calendar’s settings on a desktop browser and go to Event Settings > Automatically Add Invitations, and then select the option “No, only show invitations to which I’ve responded.” Also, under View Options, make sure that “Show declined events” is unchecked, so malicious events don’t haunt you even after you decline them.

“Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse,” a Google spokesperson said in a statement. “[We] provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos.”

Area 1’s Falkowitz points out, though, that calendar phishes are especially pernicious, because they crop up unexpectedly in such a trusted, utilitarian context. “This is exactly the type of attack that a human can’t be trained against,” he says.

by Lily Hay Newman