While sitting with one of our clients recently they mentioned to us that they kept getting event invites/notifications on Google Calendar that were phishing attempts or spam. They finally sent us a screenshot and we dug into the matter to learn more. In short, phishing Google Calendar has been going on for months, based on media reporting. Endgadget, as of early September, mentioned that Google has yet to address the issue. [Source: Endgadget] The support page for Google on this matter still has not been updated as of September 29th, 2019. [Source: Google Support]
Before you go any further, we want add this disclaimer that this entire article is for educational purposes and what we’re sharing should not be abused. Our goal is to show you what these phishing/spam attempts looks like and we’ll be providing the workarounds to reduce your chances of being exploited via Google Calendar until Google comes out with a permanent fix. With that said, let’s dive into the scam a little bit.
The way this scam works is when you use Google Calendar you have your settings configured to automatically accept invitations. Having these settings configured this way allows the malicious event invitation to be added to your calendar without interaction. This makes the deception even better from the attacker point of view if the “victim” has the Google Calendar app installed on their phone because of the way notifications are pushed through. The behavior of the invitation is also different in the mobile app versus the web app, which we’re going to explain below.
Out of curiosity, we wanted to replicate what our client sent us as best as we could. Below is what you would see if you received a similar unsolicited invitation. The first image is the phone notification. The second and third image is the event invite itself.
What we find interesting about the invite is that the malicious link is added in where someone would put the location of the meeting or event. The behavior of doing it this way is also interesting. If tapping on the link from the Google Calendar app, you’re able browse to the URL. If you click on the link in the desktop (web browser) version, Google Maps opens.
The attacker also has the option of adding the spam/phishing link in the event description. The interesting action we observed with this is when the notifications come through the phone one was HTML instead of plain text. This allowed us to see the masked URL we created and where it’s going to send someone. We’ll show you what we mean in the next set of images below.
In the last notification, you’ll notice the HTML encoding. Where we underlined, it shows us that the link is created to look like it’s going to payroll service, but if someone were to click on it, they’re directed to our website. The next set of images is what the event invite looks like.
This last set of images, regarding the event invites, is targeting a company and therefore it is incredibly important if your business is using Google Calendar that you:
- Have the workarounds, in the section below, enabled until Google has made the appropriate fixes.
- Teach your employees on how to recognize a Social Engineering attack, how to recognize phishing attempts, and specific to this article, becoming very familiar with Google Calendar.
And now, without further delay, the workarounds.
Google Calendar Workarounds
In order to change the settings that we’re going to show you, they must be done in the web browser version of Google Calendar.
First login to Google Calendar.
Click on the gear icon and then click on “Settings.”
Click “Event settings” on the side bar, or scroll down until you get to the section.
In the “Event settings” options under “Automatically add invitations” select “No, only show invitations to which I have responded.”
Below the “Event settings” menu is a section called “View options.” In this section make sure “Show declined events” is unchecked.
Lastly in the “Events from Gmail” section make sure that “Automatically add events from Gmail to my calendar” is unchecked.
Again, these are only workarounds to reduce this problem from happening and may impact how features within Google Calendar work.
This is a good place to wrap things up.
We hope this is helpful for you. If it is, pass this article along to people you know that use Google Calendar and if you need our help with something, contact us here.