Hackers are exploiting a feature on Google Calendar that affects all 1.5 billion users around the world, security researchers have found.
Cybersecurity provider and researcher Kaspersky Lab published a report detailing its findings that malicious actors are utilising a Google feature in an attempt to steal their financial details.
The trick involves using a feature in Google Calendar allowing anyone to create a calendar event, invite a random person, and have an automatic notification sent to them about it.
“Because Google Calendar is designed to let anyone at all invite you to a meeting, both Calendar and Gmail are totally fine with any John Doe scheduling a meeting with you,” the Kaspersky report said.
The hack identified by Kaspersky involved malicious actors using this feature to send a link to a phishing website in the calendar notification. The link directed the user to a website featuring a questionnaire with prize money on offer. The site asked for a “fixed” payment, with the user required to enter their credit card details and personal information.
This information would then be sent straight to the hacker, and could be used to steal money or the user’s identity.
“Spam and phishing threats that exploit non-traditional attack vectors can be lucrative for criminals, as they can often successfully trick users who might not fall for a more obvious attack,” the Kaspersky report said.
“This is particularly true when it comes to trusted legitimate services, such as email calendar features, which can be exploited through so-called ‘calendar phishing’.”
The scam is especially dangerous as it may trick people that would never click on a traditional phishing email, Kaspersky security researcher Maria Vergelis said.
“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” Vergelis said.
“But this may not be the case when it comes to the Calendar app, which has the main purpose to organise information rather than transfer it.”
And while the phishing URL that users were directed to wouldn’t trick most people, it may become harder to tell in the future, she said.
“So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time,” Vergelis said.
Luckily, the feature that allows hackers to add an event in someone else’s calendar that sends the notification can be easily disabled. Gmail users can go to the Calendar app, click the gear icon, go to event settings and click “no, only show invitations to which I’ve responded” in the drop-down menu.
“The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings,” Vergelis said.
A Google spokesperson said the company is serious about addressing spam and phishing attacks like the “calendar scam”.
“Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse,” the spokesperson said.
“Combating spam is a never-ending battle, and while we’ve made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts.
“In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filter.”