Threat actors are exploiting Google Calendars for phishing and spoofing attempts
Threat actors are becoming more sophisticated, and the safety of the digital space is taking a toll because of it. Over the past few months, cybersecurity experts have noticed a new phishing scam tactic in which bad actors send fake meeting invitations that redirect the invitees to phishing websites. These invites look exactly like the original Google invites, and even the phishing website is cloned so well that it’s difficult to catch its fakeness. Since the counterfeit platforms are flawless, the success rate of these attacks is extremely high; users are entering sensitive details and downloading malicious links without batting their eyes.
According to Check Point, this new phishing tactic has already affected around 300 brands. Researchers have observed roughly 4,000 of these emails in a four-week period. With over 500 million Google Calendar users globally, this manipulation can wreak havoc if not contained in time.
How are threat actors executing Google Calendar spoofing?
Spoofers are altering the ‘sender’ headers to make emails look as if they are legitimately sent via Google Calendar on behalf of a known sender. Here is how they are executing the whole scam-
Exploiting Google Calendar invites feature
Attackers are sending fake invites that look legitimate. During the early phase of the scam, they exploited features that were inherent in Google Calendar. They included links that directed invitees to Google Forms.
Lately, however, the attack has become more complicated and grave, as spoofers have found a way to bypass security filters and gateways that were flagging malicious Calendar invites earlier. As of now, the attack has evolved enough to align with Google Drawings’ capabilities. The links redirecting to Google Forms, Google Drawings, or ICS file attachments include a CAPTCHA or support button.
By default, Google automatically adds calendar invites, even if the user didn’t request them. Attackers exploit this by adding malicious links to users’ calendars without needing an email.
Altering email headers
It’s been observed that cybercriminals behind this scam can bypass spam filters by sending fake invites via Google Calendar. These emails look genuine; hence, it’s difficult to distinguish and flag them. These emails even pass SPF, DKIM, and DMARC checks.
Spoofers can also cancel the invites and add a note that gets delivered to all the participants. This increases the effectiveness of the scam as more potential targets come into the frame. The message can also have a link for Google Forms or Google Drawings, redirecting victims to malicious, cloned websites.
Using spiteful .ics files and fake links
These phishing emails often include a calendar file with the .ics extension. It has a link to Google Forms or Google Drawings, and when an invitee clicks the first link, they are prompted to another one, which appears as a CAPTCHA or support button.
Fake support pages and cryptocurrency scams
After clicking the malicious link, victims are taken to fake websites designed to steal personal or corporate data. These sites often imitate cryptocurrency mining pages, Bitcoin support portals, or fake login screens to capture sensitive information and payment details.
Implications of the Google Calendar attacks
If Google Calendar scams are successful, the victims can lose money and sensitive information. Moreover, if you download malicious links, then your device will be malware-infected, leading to cyber espionage, ransomware attacks, system and performance issues, etc. All this can result in significant financial losses, reputational damages, and legal violations.
Becoming a victim of these types of attacks can be stressful for organizations and individuals, and their aftereffects leave a long trail on systems and reputation.
Preventing Google Calendar attacks
These attacks are still in the nascent stage, and there are no dedicated tools to stop them. However, Google advises the following general practices–
Enable the ‘known senders’ setting
Google itself emphasizes using its ‘known senders’ feature, which prevents spoofing attacks by alerting users when they receive an invitation from someone who is not on their contact list or with whom they have not interacted in the past.
Carefully examine the Google Calendar invites
Be cautious with the invites, especially unsolicited and unexpected ones. Notice inconsistencies or errors in details. If anything in the email note sounds too good to be true, take it as a red flag. Moreover, be careful with invite emails that create a sense of urgency.
Hover over links
Before clicking links in unsolicited invites, hover over them to see where they redirect you. Proceed only if you are being navigated to a safe website. You can also use advanced email security solutions that include URL reputation checks.
Do not download attachments from anonymous senders, as these can contain malware that can be installed on your system.