Google Calendar being exploited by spammers

Experts at Kaspersky have identified multiple cases of a scam targeting users through unsolicited Google Calendar notifications.

Google’s anti-spam module avoids flagging notifications from its own services as spam, but spammers are abusing this to bypass the spam filter and deliver emails to inboxes by exploiting the default feature on Google calendar that automatically adds calendar invitations and notifications.

May saw numerous unsolicited pop-up calendar notifications appearing for Gmail users, due to a vast amount of sophisticated spam emails being sent by scammers.

Dubbed as the “calendar scam”, the perpetrators send an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears which when clicked redirects the user to a website that hosts a simple questionnaire offering money for its completion.

In order to receive the prize, the user has to enter their credit card details and some personal information including their name, phone number and address – however rather than receiving a prize the information goes straight to scammers.

Maria Vergelis, security researcher at Kaspersky said in a press release:

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps.

“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”

Researchers at Kaspersky have advised users to turn off the automatic adding of invitations to their calendar.

As well as exploiting Google Calendar, It was also identified that scammers have been leveraging Google Photos by sharing photographs “that include comments about sudden large remittances that can be had by replying to the e-mail address supplied in the message”.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.