Many of us use Google services and one of our favorites is probably the Google Calendar. The Google Calendar is an integral part of my daily life. I use it to track appointments I have and my family members also share a family calendar to indicate which days we are available.
The Google Calendar is smart and is very much integrated with your Gmail. You might have noticed that the calendar will synchronize events that are sent to your email and have it automatically added to your calendar. You will even be notified about it. This is a very useful feature for travel itineraries that are sent to your mailbox by the airlines.
However, do you know that your calendar will also include invitations that you did not accept? Researchers from Black Hill Info Security found that an event can be added to someone's calendar event without sending an email. Go take a look at the article. It shows you step-by-step on how to send an invitation without sending an email and have it added to someone's calendar.
With this "feature", it becomes relatively easy to create a fake event with a phishing link to a victim. A notification may appear (depending on the calendar settings) on the victim's phone when the fake event is about to "start". An unsuspecting victim might then click on the link for the event and trigger the first step to a phishing attack. Sometimes, clicking on a link is all it takes for a successful compromise.
While one might argue that this is just like any other email phishing attempts, I beg to differ. Many people are now more vigilant when it comes to opening a link from email. However, the Google calendar notification opens up a totally different attack vector. When someone sees an event being prompted, he/she might think that it is an important event that is being missed. It is only natural for the person to click on the link to find out more. Hence, such attack might be especially effective. This is particularly true for busy people whose calendar is cluttered with various events.
Though this potential attack was found in 2017, it is recently reported again by a Forbes contributor. The contributor went on to contact Google, but they replied with a politically correct statement as such,
Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters.
In other words, Google is not going to do anything about it.
So what can we do to protect ourselves from such attacks? The best way is to prevent unsolicited event invitations to show up on our calendar. There is a setting on Google Calendar to allow us to choose whether an invitation will be added to your calendar automatically. I think the default setting is "Yes, but don't send event notifications unless I have responded Yes or Maybe". This is a good enough setting but it will allow the invitation to still appear on your calendar. The safer setting will a flat "No".
Personally, I am leaving the setting as default and that will be good enough. Ultimately, we just have to be careful with the links we click on, right? :) Thanks for reading and stay safe!
The "Raise to 50" Initiative
Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform: