Gmail and the applications associated with it seem to have some level of inherent trust among users. We just don’t anticipate threats to come in via something from Google. However, it does happen, as a recent spat of phishing has shown using Gmail and Google Calendar. What’s worse, this particular scam has been around for some time.
We’ll review how the scam works, and what can be done to protect your business from its effects.
How This Scam Works
Let’s outline the scenario: a user logs into their Google account and finds an invite for a Google Calendar event. The invite is for a crucial company-wide meeting – apparently to discuss a new vision for the company, changes to policies moving forward, that kind of thing – that is scheduled to take place at the end of the day. A link is included for the complete agenda to the meeting. Clicking the link brings the user to an authentication page, where the user inputs their credentials.
Uh oh… the user was caught up in the scam.
This scam is unnervingly simple to enact. An invite is sent to a user for a calendar event, which is automatically added and the user notified. In that notification, a scammer includes fraudulent links to a facsimile Google login page – which is actually just a means for a hacker to steal the user’s credentials. Sometimes, this link will just allow malware to install itself on the user’s systems.
Some attackers have fooled personal users by claiming that they won a cash prize – informing them through the fraudulent calendar entry.
How This Was Discovered
This scam was actually first reported back in 2017 by researchers at an IT security firm, but no apparent steps to resolve it were taken by Google.
One of the researchers noticed that an unfamiliar calendar event had been added to their Calendar when another user at the firm shared an upcoming flight itinerary through Gmail. However, the event was automatically added to the researcher’s calendar. Digging deeper into the implications this accident brought up, the firm realized that an email doesn’t need to be sent to add an event to someone’s calendar. Then came the thought: sure, we all know to look for phishing in our emails, but would we ever question a Calendar entry?
As the firm’s tests indicated: apparently not.
How to Help Stop This Scam
While Google is still working on a fix – after finally acknowledging the issue, that is – there are a few things that your users can do to help prevent this scheme from taking advantage of your business. They need to disable any events from Gmail being added to the Calendar automatically, and they also need to disable any event invitations from being automatically added as well.
These options can be found in Settings in the Google Calendar application. Under Event settings, deselect the option for Events from Gmail to “Automatically add events from Gmail to my calendar.” You also need to change the Automatically add invitations option to “No, only show invitations to which I have responded.”
Hopefully, enacting this will keep you from experiencing a phishing attack from an unexpected source – your agenda.