Home News Hackers Hide Phishing Links Inside .ics Calendar Invitations

Hackers Hide Phishing Links Inside .ics Calendar Invitations

Phishing Campaign on FINRA

Threat actors are finding innovative methods to phish people into clicking/downloading malicious links or entering sensitive information on fake forms. In a recent security discovery, the Cofense Phishing Defense Center (PDC) found that cybercriminals are using calendar invitations to launch phishing attacks.

Researchers at Cofense found a new phishing campaign to target enterprise email environments that deliver .ics calendar invitations, which contain phishing links in the email body with the subject “Fault Detection from Message Center,” from a sender named “Walker”.  The hackers used a compromised email account of a school district to bypass email filters.

The Phishing Page

The fake calendar invitation contains a malicious URL, hosted on Microsoft’s SharePoint site, and also displays another link that redirects the user to a phishing site. When a user clicks on the calendar invitation, it redirects them to a document hosted on the SharePoint site, which contains yet another malicious link. In case the victim clicks on the second link, they are redirected to a phishing website hosted by Google that looks like a legitimate Wells Fargo banking login page. The bogus page asks the users to enter their sensitive information like login details, account numbers, PIN, and email credentials. After entering all the sensitive information, the user will be redirected to the actual Wells Fargo login page to make the user believe that their account is secured.

“Cofense observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters that rely on DKIM/SPF. The story in this phish is a version of a classic lure “suspicious activity on the user’s bank account.” This attachment, however, does not jibe with the ruse considering it’s a calendar invite. A more fitting lure would have been something like “I attached a meeting invite; can you please attend,” the researchers said in a statement.

Google Calendar Scam

Threat intelligence and cybersecurity firm Kaspersky stated that scammers made phishing attacks, by abusing Google Calendar services, to trick users into giving away sensitive information like passwords, card details, and other financial data.  Several unsolicited pop-up calendar notifications were sent to Gmail users by cybercriminals as a sophisticated spam email attack. The calendar phishing emails exploit the automatic addition and notification of calendar invitations feature for people using Gmail on their mobiles.