If you thought scammers were sticking to email and SMS to trick you, wait until you check your calendar.
It seems that scammers aren’t done, and lately the approach seems to be all about finding new places to trick you.
A fresh approach for scammers has turned up in recent weeks, as cybercriminals add events to the calendars of random individuals in an attempt to get them to click a phishing link.
The scam adds a sequence of events for the next several months to as much as two years, placing events in your online calendar simply by merely inviting the user over emails that may just skip your inbox altogether.
The calendar phishing scams we’ve seen look to be coming from Russia or another Eastern European nation, and they’re pretty consistent, providing an almost seemingly endless set of days on your calendar — and possibly your wearable — informing you of them all of a sudden.
It means if you’re unlucky enough to be invited to a nonsense event by a scammer, you’re calendar will be populated with events every day for as much as two years, with each event including the same name, text, and location.
The point of the current calendar scam appears to be to get you to click, as checking the event location will see a phishing link waiting for you.
This scam may well be playing on how curious we all are, and finding a link where the location is for us to click on. However, the reality is that this scam is like every other, with the goal getting you to click on a phishing link and hand over your details.
That makes it no different to other phishing scams, with the main point of difference being the use of calendars to bring people over.
“While phishing is one of the oldest tricks in the book, the ‘calendar phishing’ scam currently doing the rounds is a new tactic added to cybercriminals’ artillery to catch people off-guard,” said Tim Falinski, Senior Director for Consumer at Trend Micro in the Asia Pacific region.
“This comes as a result of email services becoming better at identifying malicious links and many consumers being more switched on and sceptical of emails that seem too good to be true,” he said.
“As with other phishing attempts, the purpose of the calendar phishing scam remains the same – to access personal details or money by getting the user to click on a link and share sensitive information,” said Tim.
“What’s different in this instance is that cybercriminals have acknowledged that consumers may expect a phishing scam via email or SMS, so they have turned to other, more unsuspecting areas of our digital lives. They have begun exploiting a default email setting where calendar invites will automatically appear in the individuals’ calendar, catching them while they least expect it and playing on their natural curiosity to see what the invitation is and how it got there.”
As frustrating as the new calendar phishing scam is, perhaps most interestingly is that the scam may not be that new at all.
Before everyone had smartphones that they could rely on over their computers, and before we relied on the cloud to analyse our emails and use rules driven by machine learning to work out what to do with emails as they came in, we had calendars.
These days, scammers have moved to newer methods, such as compiling their SMS messages under one name, something scammers are doing to trick people that scams were coming from known brands, but this apparently was not always the case.
“It’s not a new attack,” said Aaron Bugal, Global Solutions Engineer for Sophos.
“We first saw this in 2008,” he said. “It was a simpler form of phishing at that time, but enticed the user to join a meeting that may have even had a real person (attacker) at the other end who would try to socially engineer information out of them. Not much has changed with the current versions going around, except most of the content of the invitation is a shortened URL that redirects the user to a good old fashioned phishing campaign.”
“With these modern calendar phishing examples, the attackers are using the default behaviour of the Google Gmail application, that is, when it receives an email with what looks like an event, or in these examples a calendar invite, it automatically populates the calendar with the placeholder for the invitation,” said Bugal.
“This causes a push notification to be displayed to the user, typically with minimal information like the name of the event and a couple of lines from the body of the invitation – in this case the shortened URL,” he said.
“As such, it’s tempting to click on the invite, which stirs our natural curiosity.”
If you are targeted and you suddenly see a bunch of foreign events pop up on your calendar, instead of clicking accept, head to your online calendar system (such as Google Calendar) and remove yourself from the entire list of events.
We tested this on Google Calendar, and have found it works several times through the several invites we’ve been sent recently.
Furthermore, Sophos suggests to decline and delete the invite without notifying the sender, as “this will remove the event from your calendar and at the same time does not indicate to the attacker that you saw and interacted with their message”.
Scammers are able to get these calendar invites through underneath your mail client’s automatic measures, which is to say, Gmail and other mail systems tend to automatically throw calendar entry invites into the calendar even if they’re not something you want or care about.
As such, Sophos and Trend Micro also suggest you consider turning off “Events from Gmail” and similar features on other calendars where invites are automatically added to a calendar.
It does seem like this sort of scam has the potential to be annoying, so knowing how to beat it as it starts to hit — as it returns from the dead, essentially — will give you more control and less likelihood that it will affect you in the long term.