Security researchers have issued a warning over how attackers are exploiting Google’s Calendar feature to target users with a credential-stealing attack.
Avinash Jain, a security researcher from India, explained how misconfigured settings in google services can be exploited. The researcher revealed that by using Google dork (advance search query), he was able to see all the public google calendars/users who’ve set their calendar as public. He also stated that hackers are making phishing attacks, by abusing Google Calendar services, to trick users into giving away sensitive information like passwords, card details, and other financial data.
“This is an intended feature provided by Google Calendar but what if a user doesn’t intend to share the calendar until he shares the link and still someone is able to find the public link of their calendar. Then that becomes a problem. And what if someone belonging to an organization makes their official google calendar public — They might end up disclosing internal information of the company,” Avinash said in a blog post.
Perhaps, the issue is not the latest. Earlier, threat intelligence and cybersecurity firm Kaspersky stated that it detected many unsolicited pop-up calendar notifications sent to Gmail users by cybercriminals as a sophisticated spam email attack. The calendar phishing emails exploited the automatic addition and notification of calendar invitations feature for people using Gmail on their mobiles.
The scam occurs when an attacker sends an unsolicited calendar invitation carrying a link to a phishing URL and encourage the recipient to click on the link. The user then redirected to a fake website, appears to be original, that features a simple questionnaire and offered a prize after completion.
The victim will be asked to fill in personal details like name, phone number, address, and bank details in order to steal the victim’s money or identity. The researchers urged the users to turn off the ‘automatically add invitations’ option to the Google calendar to avoid calendar scams.