If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED
While software makers and app developers continue to make their wares safer and less open to attack, you can never get complacent with digital security—and you need to be aware of all the different methods of attack that bad actors use to get at your accounts.
Those methods include targeting Google Calendar: An app so basic and everyday, you might never think it could be used to channel malware in your direction. But with millions of users worldwide, and a reliable tech brand name behind it, Google Calendar is a platform hackers and scammers regularly take aim at.
The ways in which Google Calendar can be targeted vary, but there are some common themes across these types of attacks—and some general rules you can abide by to minimize your chances of being caught out.
How Google Calendar Malware Works
The majority of Google Calendar scams involve links to fraudulent websites designed to trick you out of personal details: The classic digital con. These links can either be embedded in Google Calendar event descriptions, or in emails purporting to be Google Calendar invites: In both cases, a lot of care will be taken to make the links appear normal and genuine.
A standard Google Calendar invite comes with links to both the event itself and the list of guests—the event is also included as an .ics file attachment to open in a calendar app. Events themselves, meanwhile, can come with links embedded in the description and files from Google Drive attached. All of these elements can be taken advantage of in some way by bad actors.
Take the recent security vulnerability reported by Check Point as one example: The attack works by spoofing a genuine Google Calendar invite over email. Responding to the invite leads to a reCAPTCHA form or support button—and after that, the intended target is prompted to enter personal details on an official-looking site, details which can then be used to access other accounts or make unauthorized purchases.
Google Calendar invites have been consistently used to try and dupe users, and if you’re in an organization with a lot of meetings and appointments to keep track of, the dangerous ones can easily blend in with the authentic ones. On top of that, hackers may leverage information they have about your company or your contacts to make invites seem more plausible—from the names of executives to the addresses of offices.
Not all attacks involve phishing links. While it was never exploited in the wild, a Remote Access Trojan (RAT) attack was previously built as a proof of concept, using code embedded in Google Calendar event descriptions to take control of a computer over the web. Google has since patched this particular vulnerability, but it shows the variety of different attacks that are possible.
How To Protect Against Google Calendar Malware
Thankfully, Google isn’t sitting back and accepting security vulnerabilities inside its calendar app: Google keeps it regularly updated with new protections against “spam, phishing and malware” in an attempt to stay ahead of new and evolving threats. As always, ensuring you keep your Google Calendar app and web browser up to date is one of the best ways to stay protected against the latest methods of attack.
The usual advice for avoiding phishing attempts and social engineering scams applies here too. Be wary of anything coming into your inbox with a link embedded, even if it seems to come from Google Calendar or someone in your contacts list—and be particularly suspicious of anything out of the ordinary (like a lunch date out of the blue from an ex-colleague who left the company the previous year).
Only following invite links that you’re expecting is a good general rule—you can always check directly with the sender of the invite if you’re not sure—and if you find a link leads you anywhere other than Google Calendar, don’t go any further. Even if you think you are on Google Calendar, double-check the browser address bar to make sure.
In most email clients, you can dig deeper to check the origin of an email: In Gmail on the web, for example, click the three dots in the top right corner of an email and Show original to see the full header information. This should include the full email address the invite has come from, and the sender field should read “calendar-notification@google.com” if it’s an actual Google Calendar invite.
More generally, keeping your Google account protected with two-factor authentication is a must, as is regularly checking the apps and services connected up to your Google account: You can do this by heading to your Google account page on the web and from there choosing Security and See all connections. If there’s anything here you no longer need, like a third-party calendar client, disconnect it.
Read original article on WIRED Read More
