Google Calendar alerts can open up your diary to hackers

News by Mark Mayne

A method of exploiting Google Calendar alerts is spreading fast, according to experts. Maintaining caution even when dealing with trusted apps is essential. Automation is not your friend in cases such as this.

A technique of using Google Calendar invites and events as spam is gathering volume, according to researchers.

The mechanics are relatively simple - an attacker crafts an unsolicited calendar invitation carrying a link to a phishing URL, which is sent to the user’s Gmail or G Suite address. By default smartphone Gmail will automatically add events to the calendar and notify the user via a popup. If the user clicks the link, they are either taken to a phishing site, or malware is downloaded directly. As the popups appear to originate from the trusted Google Calendar app, users are much more likely to interact with them, and Gmail spam filters are sidestepped by the association too.

"Cyber-criminals send targets an unsolicited calendar invitation carrying a link to a phishing URL," explained Kaspersky researcher Maria Vergelis, in a recent blog post. "A pop-up notification of the invitation appears on the smartphone’s screen, and the recipient is encouraged to click on the link. The website where they are directed then tells victims to enter their credit-card details and add some personal information – which is sent straight to the scammers."

The Kaspersky researchers saw examples of fake surveys being pushed to users, with descriptions including "You've received a cash reward," or "There's a money transfer in your name."

Naaman Hart, cloud services security architect at Digital Guardian told SC Media UK that the news illustrates a wider trend: "This attack once again sees user safety put behind the core interests of the application developer. In this instance Google wants to force our attention to something by prompting a response from us when we receive a calendar invite. Annoyance seems to be the default setting for all applications these days and notifications demand our attention at every turn. Imagine how infuriating it would be if a random stranger followed you and constantly asked seemingly inane questions?

These attacks are worrying as they’re incredibly easy to exploit and they can be used at a very large scale with minimal effort. Consumers should be wary of everything that’s pushed at them without them making a conscious effort to seek it out. Developers take the spam first, ask later approach and until that model changes, we’re susceptible to these exploits.

"Users should demand more control over how applications interact with us and the default notification mode at install time should be minimal to none. This would have the added benefit of improving work-life balance and reducing stress from being ‘always on’. It’s a proven fact that being constantly prompted by your smart device is damaging to your sleep and wellbeing."

Boris Cipot, senior security engineer at Synopsys warned that maintaining caution even when dealing with trusted apps is essential: "Question every email and in this case invitation you receive. If it feels weird, wrong or unusual then ask the person who sent this invite if he really sent it. Do not click on any links or attachments and watch out for the tell-tale signs of phishing messages: wrong words, ad translations, weird URL etc. Whenever in doubt it’s better to delete. As Kaspersky suggests, automation is not your friend in cases such as this, so do not let your calendar app put invitations automatically into your calendar but you better review it and then add it if it is not phishing."

Google said in a statement that: "Google's Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through.

"We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop