Detail of a calendar page with dates

Phishers make a date with your calendar apps

Calendars are a rich source of bad behaviour for scammers and spammers. They’re one of the most prolific tools the workplace has for collaborative actions and general cross-purpose messaging. They’ve been misused by bad actors for many years now, most commonly spamming unwary potential victims and leading them to bad times ahead.

A brief history of calendar connivances

Scammers abuse pretty much any beneficial feature you can think of in order to get the job done. In 2016, Mac spammers made use of the ability to suggest events found in other apps. They also fired calendar invites to people’s iCloud addresses, meaning the spam would hit the calendar and the notification center.

In 2021, iPhone calendar spam was on the upwith fake infection/pornographic spam giving device owners major headaches. Bogus CAPTCHA spam and redirects to device cleaning tools were less than appreciated.

Just this year, we had something resembling an update to the tried and tested calendar methods with comment spam in shared Google documents.

These tactics have been around for many years. Witness 419 scammers misusing Google calendar invites in 2011, or even using Yahoo! Calendar to spamin 2009. If there’s a calendar with any form of sharing functionality, you can bet someone will be along shortly to post invites you don’t need. What’s the latest in unwanted calendar spam messaging land?

Calendar app spam leads to phishing pages

Many tools use calendar apps/plugins for additional features and functionality. Calendly is one such app which provides Zoom integration, website embedding, and more. It’s free and easy to sign up which means scammers will try to abuse it however they can.

According to Bleeping Computer, it’s been abused to send phishing missives. The example given shows a supposed fax message which claims “You have received a new fax document”. It also lists page count, size, and a clickable link to preview the document in question.

The landing page for these links is a blurred document with a bogus Microsoft login popup box which claims “only recipient email can access shared files”. It also has potential victims enter details twice, presumably to make sure they’re definitely entering usable credentials.

The phish routine ends with that time honoured process of redirecting the phished individual to a real website afterwards. This is to make them think there’s nothing untoward going on, unaware that they’ve handed over login details to a faker.

Dodging bogus calendar invites

This is, of course, a very bad and sneaky thing to do. While some folks may be aware of more general spam and nonsense sent their way via Google Calendar, they might not suspect the same thing can happen via other platforms. As Bleeping Computer notes, a password manager with login functionality will help as the mismatch in URLs means login details will stay safely tucked away from harm’s reach.

It’s also possible the slightly unnatural approach to “document” sending may work against the spammers here. Do people typically send you important documents by email, or by third party calendar app messaging? If it’s the former, and it likely is, then this should be enough to set alarm bells ringing.

As with all these attacks, the key is to remain calm. Don’t rush to open the document. Check who it claims to be from. Is it a stranger? Or someone you know? If it’s someone you know, it’s time to do some outreach and double check if the document is what it appears to be. Last but not least, make use of any available security/privacy features your calendar may possess. It could be the difference between a clutter free week ahead or days of skipping through rogue invitations.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.