A sophisticated scam is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications as well as through other Google services, including Photos and Forms, according to Kaspersky.
In these scams, criminals are exploiting Gmail calendar’s default feature that automatically adds calendar invitations and notifications.
Cyber-criminals reportedly send targets an unsolicited calendar invitation with a malicious link to a phishing URL. A pop-up notification of the invitation appears on the smartphone’s screen, where the recipient is tempted to click on the link. However, the website to which they are delivered asks victims to enter their credit card details and add some personal information – which is sent straight to the scammers.
“Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through," a Google spokesperson wrote in an email*.
"We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters.”
“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky, in a press release.
“But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time. The good news is that it’s fairly easy to avoid such a scam – the feature that enables it can be easily turned off in the calendar settings.”
Kaspersky advised that turning off the auto-add feature will help to prevent falling victim to the scam. “To do so, open Google Calendar, click the settings Gear Icon, then on Event Settings. For the ‘automatically add invitations’ option, click on the drop-down menu and select ‘No, only show invitations to which I've responded’. Below this, in the View Options section, make sure ‘Show declined events’ is NOT checked, unless you specifically wish to view these,” today’s press release said.
In addition to the Calendar service, scammers are also leveraging Google Photos, sending pictures that detail a large remittance that the recipient can receive if they reply to the email address supplied in the message.
“A photo of a nonexistent check should immediately betray the scammers’ intentions. The check states that some commission fee will unlock a much larger amount. After the victim pays up, the scammers simply vanish into the ether,” researchers wrote.
* June 12, 2019: This article was updated to include comment from Google.