Phishing alert for Google Calendar

(DATA DOCTORS) -- Google's suite of productivity tools is estimated to have over 1.5 billion users, with Gmail and Google Calendar being the most popular tools. A convenience feature within these tools was recently shown to be an effective way to trick users into clicking on dangerous links.

Q: Should I now be concerned about using Google Calendar?

A: By default, events can be added to Google Calendar from an email with event details, such as dinner reservations or an upcoming flight. Events can also be added when someone else includes you in an event that they created, even if they don't send you an email invitation.

The danger

Phishing

Most users are reasonably aware of phishing, the use of fake email messages as a way getting your personal information through malicious links.

But if you find a strange event in your calendar that includes a link to learn more or prepare for a meeting, it's not something most users think critically about.

Black Hills Information Security, a cybersecurity firm, provided a detailed explanation of how they discovered this potential risk and how it works.

They stumbled upon the "event injection" problem when one of their employees found a calendar event that was added to his calendar without his knowledge. It came from another employee's email sharing their upcoming travel plans.

To explore how this could be used maliciously, Black Hills Information Security created a calendar event that appeared to be from the CEO of a company announcing an "All Hands Meeting" that was happening in 10 minutes and then sent it to the employees.

The invitation included a link with a description that read: "This is a mandatory company-wide meeting to review some recent changes to policy. Please review the following agenda prior to the meeting."

The invitation included a link to a malicious fake Google authentication page, which the security team found to be highly successful in tricking users.

Blocking automatic calendar events

The best way to avoid being scammed in this way is to change the default setting in Google Calendar.

Events from Gmail

Click image to enlarge.

Start by clicking on the gear icon in the upper right corner. Click on "Settings" in the dropdown menu and then "Events from Gmail" on the left side of the page. Remove the checkmark from "Automatically add events from Gmail to my calendar."

Warning: Changing this setting will also remove previously added events from Gmail, which means some past or future events that you might want to keep will be gone. It's a good idea to print out calendar events, especially future events, so you can compare after you make the change.

Google Calendar Event settings

Click image to enlarge.

The next setting to change is the one that allows invitations to be automatically added to your calendar. Do that in the "Event settings" menu. Change the "Automatically add invitations" to "No, only show invitations to which I have responded."

[MORE: Data Doctors]

Black Hills pointed out that given the proper tools, a malicious invitation can still bypass this setting, so until Google updates how this feature works, be diligent and be wary of anything you don't recognize appearing in your calendar.

Those responsible for internet security should be warning all of their users of this potentially new way of being "phished" to help reduce the chances of being exploited.

MORE STORIES ABOUT PHISHING

3 ON YOUR SIDE: This phishing scam could wipe out your bank account

DATA DOCTOR: How to protect yourself from scams in Google search results

RELATED: Scammers targeting Netflix subscribers through emails, police say

RELATED: Can you be hacked? Absolutely!

CONSIDER THIS: What do hackers know about you? AZ company will tell you for free

 


Copyright 2019 KPHO/KTVK (KPHO Broadcasting Corporation). All rights reserved.

 

Recommended for you