Scammers are abusing the Google Calendar feature using a sophisticated phishing scams to steal data of 1.5 billion users of Google Calendar, including Gmail users.It was observed recently that there were multiple cases of a sophisticated phishing scams targeting consumers through unsolicited Google Calendar notifications with the purpose of tricking users into sharing their personal information.
Google Calendar users received sophisticated emails from scammers that contains a link that exploits a common default feature of Google Calendar which includes automatic addition and notification of unwanted events & invitations.Those who clicked on the link are brought to a malicious website that features simple questionnaires and offers prize money upon completion. Without the knowledge of the users, their personal informations such as credit card credentials could be stolen if they will input them into the site.
Interestingly, scammers aren’t using traditional emails to make this phishing scam happens. A security researcher said that the calendar scam is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps. But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it.
Google Calendar users are less likely to ignore invitations and events coming from the calendar, since Google Calendar is a trusted application, and often they’ll click on the link without much thought.
Unfortunately, Google Calendar is not the only service that was targeted by scammers. Other similar attacks have been seen from Google Photos, Google Hangouts and even commercial services like Google Ads and Google Analytics using notifications to attack targets.
Calendar-based attacks and scams have been around the Internet for years. But it was only in 2016 when users of Apple device began receiving notifications on their Calendar app which are made possible through unprotected sharing mechanisms.
Fortunately, this type of phishing scams can be easily avoided, as Google Calendar leaves automatic event creation on by default but it can be turned off. Users can do this by heading to the Settings Tab and select the option Events from Gmail. From this option, users will uncheck the box for ‘Automatically add events from Gmail to my calendar’.