Phishers understood that they could take advantage of seemingly harmless calendar settings to embed their own events with phishing links in victims' schedules. In many cases, this also triggers notifications automatically, further legitimizing malicious events. The scam is particularly effective because of calendar entries and notifications from trusted applications such as Google Calendar.
The attack comes from crooks who send a wave of calendar events to users of Google Calendar. The goal is to take advantage of a default setting in which the target calendar will automatically add any event and send a notification about it. Thus, fraudsters preload the text of the event entry with a phishing link and a short line to entice targets to click.
Lily Hay Newman covers information security, digital privacy and hacking for WIRED.
Kaspersky's researchers have mainly observed that phishers were pushing links to fake polls with brief descriptions of events such as "You have received a cash reward" or "There is a transfer of money to your name". The idea, of course, is to have the victim click and then enter personal information into the malicious form. Sometimes forms deceive targets to enter credit card information by asking them to send a small amount of money to enter a larger amount.
"For the calendar attack, fraudsters use a mailing list prepared to send their fraudulent invitations," says Maria Vergelis, security researcher at Kaspersky. "They can also set the number of reminders to send the same message multiple times until the desired link is clicked or the invitation is removed.
Phishers could use the same calendar event strategy to show all types of phishing links, perhaps masquerading as an event planning or RSVP form. The attackers also undermined the legitimacy of Google services to spread malicious links that appeared to be benign links Google Docs.
According to Oren Falkowitz, CEO of the area 1 anti-phishing company, the particularity of the calendar is the method of distribution. "This type of phishing is quite common, the new part is the message potential of so many people."
In addition to the usual phishing tips (be vigilant and vigilant!), Google Calendar users can also protect themselves from unwanted invitations via the app itself. Open Google Calendar settings on a web browser and navigate to Event settings> Automatically add invitations, then select the option "No, only display the invitations I have answered." Also, under Display options, make sure that the "Show Rejected Events" option is not checked, so that malicious events do not haunt you even after they are denied.
Falkowitz of Zone 1 points out, however, that calendar phishings are particularly pernicious because they unexpectedly appear in a utilitarian context of trust. "This is exactly the type of attack against which a human can not be trained," he says.
More great cable stories