Phishers cast wide net with spoofed Google Calendar invites
Not that you needed another reason to enable the 'known senders' setting
Criminals are spoofing Google Calendar emails in a financially motivated phishing expedition that has already affected about 300 organizations with more than 4,000 emails sent over four weeks, according to Check Point researchers.
The crims modify sender email headers so the messages appear to be legitimate Google Calendar invites sent from someone the victim knows. It's a good lure, from the fraudsters' perspective, because more than 500 million people use Google Calendar.
The phishing emails usually include a [.]ics calendar file with a link to Google Forms or Google Drawings. Once the recipient clicks on the link, they are prompted to click on another one, which Check Point notes is typically disguised as a reCAPTCHA or support button.
Spoiler alert: it's fake. Once the victim clicks the malicious link, they land on what looks like a cryptocurrency mining or Bitcoin support page.
"These pages are actually intended to perpetrate financial scams," the threat hunters explained in a blog about the phishing campaign. "Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details."
Check Point reached out to Google about the phishing emails, and here's what the tech giant suggested:
We recommend users enable the 'known senders' setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.
The security shop offers its own advice to protect against becoming a victim of this and other phishing campaigns, including taking extra precautions upon receiving event invites with "unexpected" or "unusual steps" and requests – such as completing a CAPTCHA puzzle.
- The only thing worse than being fired is scammers fooling you into thinking you're fired
- Interpol nabs thousands, seizes millions in global cybercrime-busting op
- Five Scattered Spider suspects indicted for phishing spree and crypto heists
- Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'
Also, "think before you click." Hover over links and then type the URL into Google rather than just clicking on it. The purpose of most phishes is to trick users into clicking on malicious links or attachments, which then allow the criminals to steal credentials and use those to access sensitive documents, personal information, or financial accounts.
Plus, it's always a good idea to enable two-factor authentication for Google accounts – or any repositories containing sensitive information, really.
Last year alone, the FBI received [PDF] 298,878 complaints from victims of phishing and/or spoofing, costing victims $18,728,550 in total losses.
The bottom line is these types of social engineering attacks work. They are relatively simple for criminals to pull off, and make a hefty return on their investment.
While Google Calendar may be among the latest lures, attackers can and do change their avenues of attack depending on where they are casting for new victims. Don't fall for the bait. ®