A very sophisticated cyber phishing attack targets Gmail users through fraud and unwelcome Google Calendar notifications. This campaign takes advantage of a single common default feature for people using Gmail on their smartphone: “Calendar invites automatically pop up on phones, prompting users to accept or decline them.”
“Cyber criminals send targets an unsolicited calendar invitation carrying a link to a phishing URL,” explained Kaspersky researcher Maria Vergelis, in a write-up on Monday 10th of June. “A pop-up notification of the invitation appears on the smartphone’s screen, and the recipient is encouraged to click on the link. The website where they are directed then tells victims to enter their credit-card details and add some personal information – which is sent straight to the scammers.”
Spam and phishing threats that are exploited on non-traditional attack vectors like this can help criminals to reach victims who might not fall for a more obvious attack. What is also noted is other Google Calendar features can be exploited in similar fashion; for example, attackers are skilled at using Google Calendar to set up fake polls for which a reward is offered. The “poll” is a phishing attempt that asks for personal information. Like this Google Calendar scam these attacks are overall very effective and are easy to fall for.
Mobile users can protect themselves from calendar phishing specifically by turning off the automatic adding of invitations to their calendars. If users aren’t sure whether a website, they are redirected to is real and safe, they should never enter personal information that could do harm.
There are over a billion active Gmail users monthly; of those users 75% of them use the Gmail app on their mobile device. This is very concerning as the number of targets are immense and leaves many users as targets in this technologically advanced world.