About a year ago I began getting Google Calendar invites to meetings I never agreed to have. I ignored them. Now Kaspersky Labs has identified a new phishing scam using Google’s platform.
Google Calendar was down most of the morning on Tuesday for many users. BuzzMachine’s Jeff Jarvis took to Twitter to tweet: “I’m kinda disappointed I didn’t have any morning meeting that disappeared with Google Calendar. But I think I’ll use it as an excuse for at least a week."
It’s not clear whether the outage was directly related to the scam Kaspersky identified, but it seems plausible that Google is trying to plug the hole that led to the phishing scam. The Google G Suite Status Dashboard showed Google Calendar was down earlier in the day on Tuesday.
When someone with access to Google Calendar sends an event invite, it automatically gets added to the receiver’s calendar in the default setting. The invite triggers an email notification about the event.
The event serves up in Google Calendar, but clicking on the “accept” invite button in the email verifies that the person has agreed to receive the notice and schedule the event. Since the invite comes from Google’s service, the technology doesn’t identify or flag the entry as invalid or a scam.
Kaspersky Labs identified the attacks in May and recently posted a blog about the scam that capitalizes on unsolicited calendar invites that carry a link to a phishing URL.
In most cases, the URL in the calendar invite within Gmail would redirect the person to a website that featured a simple questionnaire and offered prize money upon completion.
To receive the prize, the user was asked for a “fixing” payment. The person receiving the email was required to enter their credit card details and add some personal information, such as their name, phone number and address.
Maria Vergelis, security researcher at Kaspersky, wrote that the calendar scam is effective because most people have become accustomed to receiving spam messages from emails or messenger apps, but not through their calendar scheduler.
“So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time,” Vergelis wrote. “The good news is that it’s fairly easy to avoid such a scam -- the feature that enables it can be easily turned off in the calendar settings.”
Blocking the invitations requires the user to open Google Calendar’s settings on a desktop browser. Go to Event Settings > Automatically Add Invitations, and then select the option “No, only show invitations to which I’ve responded.” It also suggests going to the View Options to make sure “Show declined events” is unchecked, so malicious events don’t return once they are declined, even when searching in Calendar to retrieve information about old appointments.
The Google G Suite Status Dashboard showed Google Calendar was down earlier in the day on Tuesday, and I'm wondering whether it was related to the update that plugs the hole.