Way back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to a credential-stealing exploit. Google apparently didn’t fix this at the time as it would have caused “major functionality drawbacks” for Calendar users, despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin’ Fest. Fast-forward to June 11, 2019, and I reported how the vulnerability was still putting 1.5 billion Gmail users at risk. A Google spokesperson responded to my story by insisting that “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.” That statement went on to say that Google offers “security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.” Now, it seems, Google is finally taking this security problem somewhat more seriously.
How does the Google Calendar attack work?
Gmail users are finding themselves on the wrong end of a sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications.
Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. Combine these two facts and users find themselves in a situation whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.
When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.
It’s wrong to think of this as just being spam, as Google appears to want to classify it, or for that matter just another phishing scheme. “Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,” Javvad Malik, security awareness advocate at KnowBe4, said when I wrote that first report. Malik told me that to gain access to a building, for example, an attacker could use a calendar invite for an interview or a building maintenance appointment which, he warned, “could allow physical access to secure areas.”