The attacks happened throughout May. This scam abuses a specific feature of a free online calendar service which adds invitations and events to users’ calendars automatically.
Spam and phishing that exploit non-traditional attack vectors can be lucrative for criminals, as they can catch out experienced users who might not fall for a more common threat. This is particularly the case when it comes to trusted legitimate services, such as default e-mail calendar features, and these are exploited through so-called "calendar phishing".
The detection of multiple, unsolicited pop-up calendar notifications during May turned out to be a result of a blast of sophisticated spam e-mails sent by scammers. The e-mails exploited a common default feature for people using Gmail on their smartphone: the automatic addition and notification of calendar invitations. The fraud occurs when the perpetrator sends an unsolicited calendar invitation carrying a link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s home screen and the recipient is encouraged to click on the link.
In most of the cases observed, the user was redirected to a website featuring a simple questionnaire with prize money on offer. To receive the prize, the user is asked for a “fixing” payment for which they need to enter their credit card details and add some personal information, such as a name, phone number and address. This data goes straight to the scammers who exploit it to steal money or identity information.
“The “calendar scam”, is a very effective scheme, as currently people have more or less got used to receiving spam messages from e-mails or messengers and do not immediately trust them. But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as It happens, every simple scheme becomes more elaborate and trickier with time. The good news is – one also doesn’t need any sophisticated precautions to avoid such scam – the feature that enables it can be easily turned off in the calendar settings,” - said Maria Vergelis, security researcher at Kaspersky.
Google also commented:
“Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters.”
To avoid falling victim to malicious spam, Kaspersky researchers advise users to:
Turn off the automatic adding of invites to your calendar: to do so, open Google Calendar, click the settings Gear Icon, then on Event Settings. For the ‘automatically add invitations’ option, click on the dropdown menu and select ‘No, only show invitations to which I've responded’. Below this, in the View Options section, make sure ‘Show declined events’ is NOT checked, unless you specifically wish to view these
If you are not sure whether a website you are redirected to is real and safe, never enter personal information
Use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud
Read the full report on Kaspersky Daily
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.