This is how scammers are now abusing Google Calendar to pillage your data

Recent attacks abuse invitation and event notification mechanisms.
Written by Charlie Osborne, Contributing Writer

Cyberattackers and scammers will try every trick in the book to lure you into parting with your information.

Data can be considered something of currency in itself; it can be sold on for profit in the underground, used to compromise online accounts, and in the worst cases, can be utilized for identity theft or making fraudulent purchases.

Software and web vulnerabilities are often exploited in attacks in order to collect data in bulk. Hardly a day goes by when you do not hear of yet another data breach with so-many-millions of records exposed.

On an individual level, the services we use on a daily basis are also of interest to scammers and attackers keen to get their hands on your information -- and calendar systems are not exempt.

Calendar-based attacks and scams have been floating around the Internet for years, but it was only in 2016 when such schemes began to impact users in vast numbers. Apple device users began receiving notifications on their Calendar app, made possible through unprotected sharing mechanisms.

In one case noted by ZDNet, an advert for 'Ray-Bans' popped up and those that fell victim for the invite ended up having their credit card details stolen.

At the time, Apple rolled out a report function for spam notifications appearing in Calendar, Photos, and iMessage and later included a feature to turn off the automatic addition of events altogether. However, this patch-over only highlighted an ongoing problem impacting not just the iPhone and iPad maker, but Google and Microsoft too.

In the name of collaboration, invitations which appear on your calendar can be useful functions, especially for those in business and management. However, scam artists exploit what are usually valuable features for users.

See also: Remote attack flaw found in IPTV streaming service

Back in February, researchers from GreatHorn came across a Microsoft scam which used the spoofed name and email address of a chief executive at the company they were targeting.

Victims were sent a calendar invitation relating to a fake meeting organized by the 'CEO,' and those that clicked the link were taken to a phishing website designed to look like Microsoft Outlook for the purpose of stealing their account credentials.

Now, it appears scammers are targeting Google Calendar. Kaspersky researchers said on Monday that multiple cases of the latest invite scheme were detected throughout May, in which fraudsters sent unsolicited event invitations by abusing a "free online calendar service that adds invitations and events to users' calendars automatically."

The spam message blast exploited a smartphone-based feature for Gmail which automatically added and notified potential victims of the fraudulent calendar invitations.

These pop-up notifications were not as sophisticated as the aforementioned business scam which pretended to be legitimate communication from a CEO; rather, the invitations they connected to contained a phishing link which sent victims to a survey website offering money for questionnaire completion.

TechRepublic: Want less spam? Learn how to integrate Spamassassin with Postfix Mail Server

However, to receive their winnings, the victims would need to enter their credit card details alongside names, phone numbers, and addresses.

"The 'calendar scam' is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps," said Maria Vergelis, security researcher at Kaspersky. "So far, the sample we've seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time."

CNET: Here are 6 MacOS Catalina security changes coming from Apple this fall

Calendar abuse isn't going away anytime soon, but thankfully for Google Calendar users, there is an easy way to prevent these annoying -- and often malicious -- campaigns. Open up Google Calendar, click Settings, and uncheck the box next to "Events from Gmail / Add automatically."

A Google spokesperson told ZDNet:

"Google's Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through. 

We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters." 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards