djbaxter
Administrator
- Joined
- Jun 28, 2012
- Messages
- 3,778
- Solutions
- 2
- Reaction score
- 1,877
New Security Warning Issued For Google's 1.5 Billion Gmail And Calendar Users
by Davey Winder, Forbes.com
June 11, 2019
Read more...
by Davey Winder, Forbes.com
June 11, 2019
In what the researchers refer to as a "sophisticated scam," users of the Gmail service are being targeted primarily through the use of malicious and unsolicited Google Calendar notifications. Anyone can schedule a meeting with you, that's how the calendar application is designed to work. Gmail, which receives the notification of the invitation, is equally designed to tightly integrate with the calendaring functionality.
When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their invitations to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. The researchers have noticed attackers throughout the last month using this technique to effectively spam users with phishing links to credential stealing sites. By populating the location and topic fields to announce a fake online poll or questionnaire with a financial incentive to participate, the threat actors encourage the victim to follow the malicious link where bank account or credit card details can be collected. By exploiting such a "non-traditional attack vector," the criminals can get around the fact that people are increasingly aware of common methods to encourage link-clicking.
Is this just a phishing thing then?
"Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," says Javvad Malik, security awareness advocate at KnowBe4. Malik told me that in order to gain access to a building, for example, you could put in a calendar invite for an interview or similar face to face appointment such as building maintenance which, he warns "could allow physical access to secure areas."
Hugo van den Toorn, manager of Offensive Security at Outpost24, agrees that the danger extends beyond the pure phishing realm. "This phishing attack specifically leveraged the intended functionality of a certain mobile application," van den Toorn explains, "likely they could have also added attachments with malware targeting these users."
How can you best mitigate the risk?
Kaspersky advises users to turn off the automatic adding of calendar invitations by going to the "Event Setting" menu in Google Calendar and disabling the "automatically add invitations" option by enabling the "only show invitations to which I've responded" one instead. Furthermore, it is advised that "Show declined events" in the View Options section is also left unchecked. ... Javvad Malik agrees, telling me that users should "validate meetings in the calendar manually and treat unexpected entries with a healthy dose of skepticism..."
Read more...