Google's Gmail email service is used by upwards of 1.5 billion people. The Google Calendar app, meanwhile, has been downloaded more than a billion times from the Play Store. Security researchers have this week warned that threat actors are exploiting the popularity of both in order to target users with a credential-stealing attack. Here's what you need to know.
What does this attack involve?
Security researchers working at Kaspersky have revealed how threat actors are using the tight, and automatic, integration between different Google services in order to target users with malicious exploits.
In what the researchers refer to as a "sophisticated scam," users of the Gmail service are being targeted primarily through the use of malicious and unsolicited Google Calendar notifications. Anyone can schedule a meeting with you, that's how the calendar application is designed to work. Gmail, which receives the notification of the invitation, is equally designed to tightly integrate with the calendaring functionality.
When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their invitations to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it.
The researchers have noticed attackers throughout the last month using this technique to effectively spam users with phishing links to credential stealing sites. By populating the location and topic fields to announce a fake online poll or questionnaire with a financial incentive to participate, the threat actors encourage the victim to follow the malicious link where bank account or credit card details can be collected. By exploiting such a "non-traditional attack vector," the criminals can get around the fact that people are increasingly aware of common methods to encourage link-clicking.
Is this just a phishing thing then?
"Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," says Javvad Malik, security awareness advocate at KnowBe4. Malik told me that in order to gain access to a building, for example, you could put in a calendar invite for an interview or similar face to face appointment such as building maintenance which, he warns "could allow physical access to secure areas."
Hugo van den Toorn, manager of Offensive Security at Outpost24, agrees that the danger extends beyond the pure phishing realm. "This phishing attack specifically leveraged the intended functionality of a certain mobile application," van den Toorn explains, "likely they could have also added attachments with malware targeting these users."
How can you best mitigate the risk?
Kaspersky advises users to turn off the automatic adding of calendar invitations by going to the "Event Setting" menu in Google Calendar and disabling the "automatically add invitations" option by enabling the "only show invitations to which I've responded" one instead. Furthermore, it is advised that "Show declined events" in the View Options section is also left unchecked.
If turning off the automatic adding of events to your calendar is impractical, and it's likely to be just that for many who rely on this type of scheduling, then Boris Cipot, a senior security engineer at Synopsys, has some general mitigation advice. "Question every email and in this case invitation you receive," he says, "if it feels weird, wrong or unusual then ask the person who sent this invite if they really sent it."
Obviously, there's also the "do not click on any links or attachments" advice to be had. "Whenever in doubt it's better to delete," Cipot warns, but ultimately the Kaspersky advice should be followed he says. "Automation is not your friend in cases such as this, so do not let your calendar app put invitations automatically into your calendar," Cipot concludes.
Javvad Malik agrees, telling me that users should "validate meetings in the calendar manually and treat unexpected entries with a healthy dose of skepticism..."
UPDATE: It has been brought to my attention that researchers Beau Bullock and Michael Felch, working at Black Hills Information Security, were the first to disclose the Google Calendar invitation technique. The full story of that disclosure back in 2017 reveals how Google was informed about the vulnerability and responded by silently adding an option to disable the functionality. The researchers found a way to work around that and after the public disclosure and weaponizing of the vulnerability at the Wild West Hackin' Fest that year, Google contacted the researchers to state that no "fix" had been made because "making this change would cause major functionality drawbacks for legitimate API events with regards to Calendar." A case of user experience taking priority over security in other words.
Google has been approached for comment and I will update the story once again should any be forthcoming.
UPDATE: A Google spokesperson has sent me the following statement:
Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters.
