A technique of using Google Calendar invites and events as spam is gathering volume, according to researchers.
The mechanics are relatively simple: an attacker crafts an unsolicited calendar invitation carrying a link to a phishing URL, which is sent to the user's Gmail or G Suite address. By default, smartphone Gmail will automatically add events to the calendar and notify the user via a popup. If users click the link, they are taken to a phishing site or malware is downloaded directly. As the popups appear to originate from the trusted Google Calendar app, users are much more likely to interact with them, and Gmail spam filters are sidestepped by the association too.
"Cybercriminals send targets an unsolicited calendar invitation carrying a link to a phishing URL," explained Kaspersky researcher Maria Vergelis, in a recent blog post. "A pop-up notification of the invitation appears on the smartphone's screen, and the recipient is encouraged to click on the link. The website where they are directed then tells victims to enter their credit card details and add some personal information, which is sent straight to the scammers."
The Kaspersky researchers saw examples of fake surveys being pushed to users, with descriptions including "You've received a cash reward," or "There's a money transfer in your name."
Naaman Hart, cloud services security architect at Digital Guardian, told SC Media UK that the news illustrates a wider trend: "This attack once again sees user safety put behind the core interests of the application developer. In this instance Google wants to force our attention to something by prompting a response from us when we receive a calendar invite. Annoyance seems to be the default setting for all applications these days and notifications demand our attention at every turn. Imagine how infuriating it would be if a random stranger followed you and constantly asked seemingly inane questions?"
"Users should demand more control over how applications interact with us and the default notification mode at install time should be minimal to none. This would have the added benefit of improving work-life balance and reducing stress from being 'always on.' It's a proven fact that being constantly prompted by your smart device is damaging to your sleep and wellbeing."
Boris Cipot, senior security engineer at Synopsys, warned that maintaining caution even when dealing with trusted apps is essential: "Question every email and in this case invitation you receive. If it feels weird, wrong or unusual then ask the person who sent this invite if he really sent it. Do not click on any links or attachments and watch out for the tell-tale signs of phishing messages: wrong words, ad translations, weird URL etc. Whenever in doubt it’s better to delete. As Kaspersky suggests, automation is not your friend in cases such as this, so do not let your calendar app put invitations automatically into your calendar but you better review it and then add it if it is not phishing."
Google said in a statement that "Google's Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through.
"We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters."