Google’s suite of productivity tools is estimated to have over 1.5 billion users, with Gmail and Google Calendar being the most popular tools. A convenience feature within these tools was recently shown to be an effective way to trick users into clicking on dangerous links.
By default, events can be added to Google Calendar from an email with event details, such as dinner reservations or an upcoming flight. Events can also be added when someone else includes you in an event that they created even if they don’t send you an email invitation.
Most users are fairly aware of the various attempts to use fake email messages as a way of phishing information through malicious links.
But if you find a strange event in your calendar that includes a link to learn more or prepare for a meeting, it’s not something most users are thinking critically about.
Black Hills Information Security, a cyber-security firm provided a detailed explanation of how they discovered this potential risk and how it works (http://bit.ly/2Q82uzH).
They stumbled upon the ‘event injection’ problem when one of their employees found a calendar event that was added to his calendar without his knowledge that came from another employee’s email sharing their upcoming travel plans.
To explore how this could be used maliciously, they created a calendar event that appeared to be from the CEO of a company that was listed as an ‘All Hands Meeting’ that was happening in 10 minutes and then sent it to the employees. The invitation included a link with a description that read: “This is a mandatory company-wide meeting to review some recent changes to policy. Please review the following agenda prior to the meeting”. The invitation included a link to a malicious fake Google authentication page, which the security team found to be highly successful in tricking users.
Blocking Automatic Calendar Events
The best way to avoid being scammed in this way is to change the default setting in Google Calendar.
Start by clicking on the gear icon in the upper right corner, clicking on ‘Settings’, then on ‘Events from Gmail’. Remove the checkmark from ‘Automatically add events from Gmail to my calendar’.
Warning – changing this setting will also remove previously added events from Gmail, which means some past or future events that you may want to keep will be gone. Printing out calendar events, especially future events, will give you the opportunity to compare after you make the change.
The next setting to change is the one that allows invitations to automatically get added to your calendar, which is done in the ‘Event settings’ menu. Change the ‘Automatically add invitations’ to ‘No, only show invitations to which I have responded’.
Black Hills pointed out that given the proper tools, a malicious invitation can still bypass this setting, so until Google updates how this feature works, continue to be diligent should anything you don’t recognize appear in your calendar.
Those responsible for Internet security should be warning all of their users of this potentially new way of being ‘phished’ to help reduce the chances of being exploited.