Google’s Gmail email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store. Security researchers have this week warned that threat actors are exploiting the popularity of both in order to target users with a credential-stealing attack. Here’s what you need to know.
What does this attack involve?
Security researchers working at Kaspersky
have revealed how threat actors are using the tight, and automatic, integration
between different Google services in order to target users with malicious
exploits.In what the researchers refer to as a “sophisticated scam,” users of the Gmail service are being targeted primarily through the use of malicious and unsolicited Google Calendar notifications. Anyone can schedule a meeting with you, that’s how the calendar application is designed to work. Gmail, which receives the notification of the invitation, is equally designed to tightly integrate with the calendaring functionality.
When a calendar invitation is sent to a user,
a pop-up notification appears on their smartphone. The threat actors craft
their invitations to include a malicious link, leveraging the trust that user
familiarity with calendar notifications brings with it.
The researchers have noticed attackers throughout the last month using this technique to effectively spam users with phishing links to credential stealing sites. By populating the location and topic fields to announce a fake online poll or questionnaire with a financial incentive to participate, the threat actors encourage the victim to follow the malicious link where bank account or credit card details can be collected. By exploiting such a “non-traditional attack vector,” the criminals can get around the fact that people are increasingly aware of common methods to encourage link-clicking.
How can you best mitigate the risk?
Kaspersky advises users to turn off the
automatic adding of calendar invitations by going to the “Event Setting” menu
in Google Calendar and disabling the “automatically add invitations” option by
enabling the “only show invitations to which I’ve responded” one instead.
Furthermore, it is advised that “Show declined events” in the View Options
section is also left unchecked.
If turning off the automatic adding of events to your calendar is impractical, and it’s likely to be just that for many who rely on this type of scheduling, then Boris Cipot, a senior security engineer at Synopsys, has some general mitigation advice. “Question every email and in this case invitation you receive,” he says, “if it feels weird, wrong or unusual then ask the person who sent this invite if they really sent it.”
