The vulnerability in Google Calendar allows hackers to take advantage of a default setting that automatically adds invitations (which spread malicious links) to a person's Calendar when they are sent via email.
Unrequested invites then appear as a notification trough then Google Calendar app which if clicked on can lead users to a legitimate looking page requesting the user's personal and financial details.
The fake invite scam was first discovered by two cybersecurity researchers at Black Hills Information Security in 2017 but Google is addressing the issue now. They informed and demonstrated how they exploited the vulnerability in gaining access to the user's credentials and also describing how security controls designed to prevent such attacks could be easily bypassed. Google apparently didn't fix this at the time.
The researchers noted that this was a particularly useful feature for hackers, as users have grown tired of receiving spam and malicious links in emails. Receiving an official notification through Google Calendar is less likely to produce suspicion.
Possibly the most interesting element of the Google Calendar is that it can create a sense of urgency simply by alerting a user about those invitations or events. Links within those invitations or events will then take victims to a fake Google authentication page that captures their credentials.
Nowadays, In the digital era, Data can be considered as currency itself. It can be sold on for profit in the underground used to compromise online accounts, and in the worst cases, can be utilized for identity theft or making fraudulent purchases.
Google Confirms The Calendar App Security Problem
Finally, Google is talking about this threat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, A Google Employee, states that "We're aware of the spam occurring in Calendar and we are also working diligently to resolve this issue. We'll post updates on this issue as they become available. Thank you for your patience."
How Does Google Calendar Fake Invite Scam Works?
Google Calendar allowing anyone to schedule a meeting with a user without email notification. Gmail is built to integrate with Calendar functionality because of that Gmail allowing those events to be automatically added to Calendar. Hence, Google Calendar users assume that invites must be legitimate so they might click on a pop-up notification about a fraudulent event, or a link within a fraudulent event, that redirects to a malicious attack site. In most cases, the links can lead to portals, fake online polls or questionnaires where bank account or credit card details can be collected.
Let's see an example. Google Calendar users might receive a notification about an all-hands meeting starting in a few minutes along with a link to information that will be discussed at the meeting. Feeling a sense of urgency, a user may not examine the reminder too closely, click the link, and be redirected to a malicious attack site.
How To Protect Yourself From Google Calendar Fake Invite Scam?
First of all, turn off the feature that automatically adds Gmail invitations to your Google Calendar. That will immediately stop hackers from being able to target you.
Step 1. In your web Calendar app, click on the gear icon on the top right corner of the page and select "Settings".
Step 2. In the left menu listing, click on "Event settings".
Step 3. in Event settings, change the "Automatically add invitations" option to "No, only show invitations to which I have responded" from the drop-down menu.
Step 4. After that, on the left-hand menu listing, click on "Events from Gmail".
Step 5. In that, Uncheck "Automatically add events from Gmail to my calendar".
Step 6. After unchecking it, You'all get a warning that "You'll no longer see events automatically added from your email. Previously added events from Gmail will be removed". Click on OK.
After doing these changes, any invitation will add to your Calendar only after you accept the invitation.
So, Google Calendar fake invite scam is easy to avoid, thanks to Google's settings.
It's also advisable never click any link from a Calendar if it comes from an unknown email address or unknown party you don't recognize.
Be sure that never share your personal information in a site unless you know what it is and you can verify it's real. Although you can't always be 100% sure, so your best to stay away from entering sensitive data into malicious sites.
If you are not sure that a site is safe or not, then look for the little icon of a lock next to the web address that lets you know if a site is most likely secure or not.
If you want to learn more about how to check if a link is safe to click or not then Click here.
If you want to learn more about how to check if a link is safe to click or not then Click here.
If you are a user of Calendar service from Apple or Microsoft, then there are similar issues that need resolving.
I hope you find useful information in this article. If you have any questions then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.
Comments
Post a Comment