Phishing emails are quite common. Phishing calendar is what that has come out to be a new tactic used by scammers to take advantage of Google calendar settings. They can put up their own event with phishing links on the calendar schedule via Gmail. A notification comes when there is a scheduled event. In phishing calendar, a calendar notification pops out automatically even if the user has not responded to it. The scam is very effective since the notifications are coming from trusted Google Calendar.
The scam was reported in 2017 by two researchers at Black Hills Information Security, but Google didn’t take any step back then. Kaspersky, a threat intelligence firm has come up with the new findings about the phishing calendar.
The attack is done by sending an invite to the user. The Calendar inbuilt feature allows it automatically to add that even and send a notification to the user. The mail contains phishing links and alluring lines which entice the user to click it.
The scammers use a planned email list to send fraudulent invitations,” says Maria Vergelis, a security researcher at Kaspersky who has been studying about the method. “They can also set the number of reminders to deliver the same message many times until the desired link is clicked or the invitation is deleted. And such an invitation automatically adds the notifications to one’s calendar. The delivery method is quite new and growing.”
A fake Calendar entry entices the user by showing him that he has won a contest and is required to enter the card details to avail the prize money. A notification will come on the phone. The user considering it to be reliable will click on the link and enters his bank details.
“We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available, learn how to report and remove spam. Thank you for your patience.” reported Google support forum on finally taking notice of the scheme. Google has added many useful links to help the user prevent any other malicious scam. It has advised the user to report any such events as spam in the coming time.
User can also prevent such events by changing the calendar settings. Go to Calendar Setting -> Events and change the option from “Automatically add invitations” to “No, only show invitations to which I have responded.” Gmail can be prevented from adding events on the Google Calendar app by not checking the box marked “Add automatically” under the “Events from Gmail” heading.
Though Google reported it as a scam, it is a security breach. It raises many questions regarding the policies of Google. Apart from stealing money, this attack can also be used by terrorist to get secret codes and other secret information.