One billion Google calendar users exposed to fake invite scam
The security flaw allows cyber criminals to take advantage of a default setting that automatically adds invitations to a person’s Calendar when they are sent via email.
Unsolicited invites then appear as a notification through the Google Calendar app, which if clicked on can lead users to an official-looking page requesting personal and financial details.
“We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue,” Google wrote in an update to its Calendar Help page.
“We’ll post updates to this thread as they become available… Thank you for your patience.”
Google included details of what people should do if they see a suspicious invitation or event in their inbox. It advises recipients to report the event as spam, which will remove all events from that organiser from the person’s calendar.
Around 1.5 billion people in 143 countries use Google’s Gmail and Calender apps, which are provided to anyone who signs up for a Google account.
The fake invite scam was first discovered by security researchers in 2017 but Google is only now addressing the issue.
Black Hills Information Security published details of the exploit in a detailed blog post two years ago, describing how security controls designed to prevent such attacks could be easily bypassed.
In researching the bug, the cyber security firm discovered that it was not even necessary to send an email to create an event in someone else’s calendar.
When creating an event in Google Calendar, it is possible to select “Don’t Send” when prompted to sent invitations to guests of the event.
The researchers noted that this was a particularly useful feature for hackers, as users have grown weary of receiving spam and malicious links in emails. Receiving an official notification through Google Calendar is less likely to provoke suspicion, they noted.
“Possibly the most interesting element of the calendar is that it can create a sense of urgency simply by alerting a user to something. Perhaps the user completely ‘forgot’ they had a meeting scheduled,” the blog states.
Links within the event or notification will then take victims to a fake Google authentication page that captures their credentials.