• Google Calendar Spoofing: How Attackers Use It for Phishing Scams

Google Calendar Spoofing: How Attackers Use It for Phishing Scams

Blog

Google Calendar spoofing is the latest phishing tactic tricking users with fake invites. Learn how it works and how to protect yourself from these scams.

by Milena Baghdasaryan

Reading Time: 8 min
Google Calendar Spoofing: How Attackers Use It for Phishing Scams
Table Of Contents

Over the past few months, cybersecurity experts have become increasingly concerned about a tricky form of phishing scams — Google Calendar spoofing. In this complex and sophisticated attack, attackers send legitimate-looking yet fake meeting invitations that redirect the invitees to phishing websites. These sites look very similar to Google’s official platform, which makes these attacks even more dangerous and prompts users to input sensitive information or click on malicious links.

Check Point researchers recently uncovered a case of Google Calendar spoofing wherein hackers targeted 300 organizations with more than 4,000 spoofed calendar invites in just four weeks. Such a large scope shows how dangerous Google Calendar spoofing can be and makes it imperative to detect and prevent such attacks.

Key Takeaways

  • Cybercriminals leverage Google Calendar’s features to send phishing emails that appear as legitimate invites.
  • Google Calendar has over 500 million users, which makes this platform a vulnerable target, the exploitation of which can endanger millions of users from all over the world. 
  • Hackers make use of built-in tools like Google Forms and Google Drawings, which makes these attacks even more dangerous. 
  • In just four weeks, more than 4,000 phishing emails were detected in the scope of a Google Calendar spoofing campaign, which affected as many as 300 brands.
  • Key security measures include enabling ‘Known Senders,’ avoiding suspicious invites, and strengthening email security.

How Google Calendar Spoofing Works

Below are some common steps of a successful Google Calendar spoofing attempt: 

Exploiting Calendar Invite Features

Google Calendar Spoofing

Attackers exploit Google Calendar’s user-friendly features to send phishing emails that appear like legitimate meeting invites. In the initial phase, hackers exploited features that were inherent in Google Calendar and included links that directed to Google Forms. However, the attack became even more complex and dangerous over time as attackers realized that security filters and gateways were able to flag malicious Calendar invites. 

Currently, the attack has evolved to align with Google Drawings capabilities. Often, the links to Google Form, Google Drawings, or ICS file attachments contain a CAPTCHA or support button.

Google Calendar’s Default Flaw

By default, Google automatically adds calendar invites to a user’s calendar, even if the invite is unsolicited. Attackers take advantage of this to insert malicious links into users’ calendars without requiring an email interaction.

Manipulated Email Headers and Sender Spoofing

Researchers found that cybercriminals can bypass spam filters by sending phishing invites through Google Calendar because the emails seem to come from a legitimate Google service. Since the attackers use Google Calendar, the email headers look real and can’t be distinguished from genuine calendar invitations. The researchers shared a snapshot of these headers, showing that the phishing emails made it to inboxes because they passed DKIM, SPF, and DMARC security checks.  

Attackers can also cancel the calendar event and add a note, which gets emailed to participants, effectively doubling the number of phishing emails sent. This message may include a link—such as one to Google Drawings—to further trick victims into visiting phishing sites.

Google Calendar phishing emails include a calendar file (.ics) with a link to Google Forms or Google Drawings. As soon as the recipient clicks on the first link, they are then prompted to click another malicious one, which often appears in the form of a reCAPTCHA or support button.

These tactics are quite common in phishing emails, which are designed to trick recipients into revealing sensitive information or performing actions that benefit the cybercriminal. Recognizing such common characteristics of phishing emails can help you stay protected online and not fall victim to such schemes.

Fake Support Pages and Cryptocurrency Scams

After clicking the malicious link, victims are redirected to fraudulent websites that are designed to steal personal information or corporate data. These pages often mimic cryptocurrency mining landing pages, Bitcoin support sites, or fake authentication processes with the objective of collecting sensitive details and payment information.

Why Google Calendar is a Target for Scammers

Google Calendar is one of the most commonly used platforms worldwide; over 500 million users from all over the world use this platform to schedule their meetings and manage their time. It is part of Google Workspace and is available in 41 languages. 

Calendar invites are often trusted more than standard phishing emails, as users are accustomed to receiving and interacting with them on a regular basis. This also contributes to the success and effectiveness of Google Calendar spoofing attacks. 

The Impact of Google Calendar Phishing Scams

Google Calendar Phishing scams can lead to major financial losses and data breaches for both individuals and organizations. When the attackers steal personal and financial information, they can use it for credit card fraud, unauthorized transactions, or to bypass security measures on other accounts.

The recent attack affected approximately 300 brands from a wide range of industries, including educational institutions, healthcare services, construction companies, and banks.

To mitigate the risks associated with these attacks, organizations should implement domain spoofing protection measures. These can help prevent unauthorized use of a company’s domain name in phishing attempts and other fraudulent activities.

The Latest Attack: 300 Organizations Targeted in Google Calendar Spoofing

Check Point researchers identified a complex phishing campaign that sent over 4,000 spoofed calendar invites to 300 organizations within just four weeks. The attackers manipulated email headers to make the invitations appear legitimate, as if they were sent from Google Calendar on behalf of known, trusted, and legitimate individuals.

The attackers’ main motivation was financial gain, as they aimed to trick users into providing sensitive information or accessing corporate data. This information would then help the cybercriminals to engage in credit card fraud, unauthorized transactions, and bypassing security measures on other accounts.

The attack usually begins with a calendar file (.ics) or links to fake support pages embedded in the phishing emails. Users were then prompted to complete authentication steps, enter personal information, and provide payment details on fraudulent landing pages, which were often disguised as cryptocurrency mining or Bitcoin support sites.

Google’s Response and Security Measures

Enable ‘Known Senders’ Setting

One useful step to prevent Google Calendar spoofing is to make use of the ‘Known Senders’ setting in Google Calendar. In fact, Google itself recommends using this feature in response to the prevalent Google Calendar spoofing schemes. As stated by a Google spokesperson, enabling the ‘Only If The Sender Is Known’ setting in Google Calendar “helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.”

General Security Practices Suggested by Google

In addition to the specific ‘Known Senders’ setting use, Google also has some general suggestions for better and more effective security practices online. For example, users can try to: 

  • Review and adjust calendar settings from time to time.
  • Be cautious of unexpected invites, particularly those that request them to take some kind of suspicious action. Understanding how to identify legitimate Google security alerts can help protect against sophisticated phishing attempts.
  • Verify the sender’s email address before they accept the invites

Expert Tips to Protect Yourself from Calendar Phishing

Be Cautious with Event Invites

You should carefully examine unexpected invites and sender details for potential inconsistencies, errors, or anything else that looks suspicious. Pay particular attention to the type of invites that try to create a sense of urgency, FOMO, or request immediate action. You can make use of behavior analytics tools to detect unusual account activity. 

Before clicking on any links, you should hover over them to check the URL. This will give you at least a basic idea of what the link is about. When it comes to links, you can also use advanced email security solutions with URL reputation checks. Another useful tip is not to download attachments from unknown sources, as these can be malicious and infect your device with all sorts of viruses. 

Strengthen Account Security

To enhance your account security, ensure you enable two-factor authentication (2FA) for your Google account. In case your credentials are compromised, 2FA can still help prevent hackers from accessing the victim’s account. Also, use strong, unique passwords for each online account, and ensure they do not contain any personal information (e.g., name, date of birth, etc.) that can be easily guessed by hackers. Try to regularly update security settings across all Google services while also keeping your operating system and apps up to date. 

Follow the Regulations

Requirements are often meant not to punish you or make things complicated for you but to provide you with the highest possible degree of protection. Google and Yahoo have recently introduced new email authentication requirements for bulk senders, which mandate that senders who dispatch more than 5,000 emails per day must implement SPF, DKIM, and DMARC protocols. Bulk senders will need to authenticate their emails, enable easy unsubscribing options, and maintain spam rates below 0.3%. These measures are designed to protect users from phishing attempts and other malicious email activities.

The Evolving Nature of Phishing Campaigns

Security measures improve, but so do attackers’ techniques. For example, after realizing that their schemes could be detected when using Google Forms, they shifted to Google Drawings for a more sophisticated and unexpected attack. If they managed to get to Google Drawings, there is a high likelihood that they can also reach other commonly used Google services like Docs and Drive to conduct their next attack. Therefore, it is important to be flexible and practice caution with all the platforms you use, both within the Google Workspace and beyond. 

Endnote

Given how commonly Google Calendar is used in online communications, phishing scams that target Google Calendar require special attention and immediate action. A recent attack showed how fast and effective these attacks can potentially be, so practicing caution and following Google’s and experts’ recommendations on the topic is crucial for your safety online. 

You should always verify unexpected invites, especially those requesting actions, and check URLs before clicking on calendar event links. Using multi-factor authentication (MFA) and secure passwords can also help you enhance your security against these phishing attacks. While these attacks may seem very complex and versatile, it is possible to stay protected in the face of even the most sophisticated cyberattacks if you have the necessary knowledge, skills, and the right digital ‘hygiene.’ 

FAQs

Why do I keep getting spam calendar invites?

Google Calendar has a dedicated setting that enables you to control and manage how invitations are added to your Calendar. 

  1. Open Google Calendar.
  2. At the top right corner, click Settings.
  3. On the left, under “General,” click Event settings, then “Add invitations to my calendar.”
  4. Select one of the available options: 
    1. “From everyone” (note that this option may increase the likelihood of getting spam calendar invites)
    2. “Only if the sender is known” 
    3. “When I respond to the invitation in email” 

How secure is Google Calendar?

Google Calendar makes use of numerous security features, but its overall degree of security still depends on the user’s own settings and practices. If you enable two-factor authentication, use strong passwords, choose the “Only if the sender is known” setting, and are generally cautious with invites from unknown sources, you can contribute to a safer and more secure Google Calendar environment both for you and your contacts.

Does Gmail have anti-spoofing protections?

Yes, Gmail employs several anti-spoofing measures, including SPF, DKIM, and DMARC checks. However, attackers can sometimes bypass these protections, which makes it necessary to use additional security measures. To enhance email security beyond Gmail’s built-in protections, you should consider making use of advanced DMARC solutions like PowerDMARC. This platform offers comprehensive email authentication and reporting tools to help protect businesses from spoofing, phishing, and other email-based threats.

CTA

Latest posts by Milena Baghdasaryan (see all)
Zero Trust Network Access: Ending Implicit Trust in Cybersecurity