Phishing Attacks Take Advantage of Automatic Google Calendar Events

Posted by Geraldine Hunt on Fri, Jul 5th, 2019

Cybersecurity is a moving target.  As the good guys create solutions to combat known attacks, hackers and cybercriminals find new avenues of vulnerability as well as new attack methodologies to bypass cyber protection systems.  Phishing tactics are continually changing but convincing users to click on “something” remains a primary means for implementing an attack.  Cybercriminals are always upping their game when it comes to finding new ways to deceive users. 

Personal Calendar Applications Under Attack

An important element for a phishing attack is trust.  Users need to trust the source that the phishing message is originating from.  That’s why attackers often spoof the email address of a senior manager or vendor contact message so the payload is delivered from a credible source.  Fortunately, between available solutions such as email security gateways, DMARC authentication and user training, users are starting to be more guarded when it comes to email.  In response, hackers have come up with another trusted alternative – the personal calendar application. Here they can add their own events laced with phishing links. On top of phishing emails, phishing texts, and phishing tweets, we now have to be suspicious of our calendar too.  So many people today live by their personal calendars such as Outlook or Google, it’s was only going to be a matter of time until this area was compromised too. 

Currently, the attacks are restricted to the Google calendar app.  That’s because the Google calendar has a default setting that automatically adds invites to one’s calendar agenda, even if the user never accepted them.  Cybercriminals hope that users won’t realize they never accepted the particular event when the reminder notification for it is issued.  What’s more, hackers can set the number of reminder notifications so that the user is presented multiple times with the embedded link.  Given enough reminders, the users may be notified when they are in a rush or are tired or distracted.  Remember, it only takes a single click.

Different Delivery System – Same Message

The end goal for the perpetrators of these attacks is to coax you into clicking a link by alerting you of some type of fake event.  The link might be to RSVP for an open event such as a company banquet.  It might be a reminder that a fake invoice with a link to input your payment method.  Another angle is a notification to alert the user they have won a prize and need to click the link to input personal information to obtain it. The scenarios are endless and are simply fed into calendar invites that are then distributed by using prepared lists of thousands if not millions of email addresses.  Just as in traditional phishing email campaigns, the idea is that if you cast a wide enough net, you will catch some fish.

How to Protect Yourself from this Known Vulnerability

The vulnerability that makes it possible for fake invites to be automatically added to the calendar is a default setting.  Fortunately, the default setting can be modified.  To do so, simply open Google Calendar settings on your desktop browser and go to Event Settings > Automatically Add Invitations and then select the option, “'No, only show invitations to which I've responded.”  While you are in the settings menu, navigate to “View Options” and make sure that “Show declined events” is unchecked.  This will prevent malicious events that were declined from appearing at all.

The fact that this particular exploit is easily thwarted is good news.  The bad news is that the exploit of calendar apps is probably just beginning.  IT personnel need to start educating users about the susceptibility of their calendars and that the mantra, “Don’t click on embedded links” rings true regardless of the communicative medium.