Scammers Abuse Google Calendar to Target Gmail Users

Last month, researchers from Kaspersky saw 'multiple cases' of hackers trying to trick people into parting with their financial information. Judging by the screenshots Kaspersky published, the attack is mostly targeted at Russian-speaking Gmail users, and it must be said that the scam is not that remarkable.

The crooks tell you that, for reasons that remain unclear, you are entitled to a cash prize. All you need to do to claim it is to follow a link and enter your credit card details. In some cases, the scammers lie that they will use the card details in order to send you the money. In others, they say that you first need to pay a transfer fee. As you might imagine, if you believe them, you won't get any money at all, and they will end up with your credit card data.

Not exactly the bleeding edge of sophistication, you have to agree. In fact, the scenario is one step away from the colorful "Congratulations! You are the 1 millionth visitor on this page, and you have won a prize!" popups from years gone by. Why, then, did Kaspersky bother with this particular scheme at all?

The answer is simple – it was delivered in a rather clever way.

Cybercriminals abuse Google Calendar to spread spam

For years, scams of similar nature have propagated with the help of email messages. In this day and age, however, the filters are likely to catch quite a lot of the spam which means that tricking a large number of people out of their credit card details is not as easy as it used to be. The crooks have found their way around it, though. They are abusing Google's Calendar.

Calendar is one of the free web applications that you automatically get with your Google account, and it's arguably one of the most useful ones. For those of you unfamiliar with it, it gives you the ability to, among other things, create events and set reminders and notifications about them. Crucially, you can invite other Google users to your events, regardless of whether you know them or not. All you need is their Gmail addresses.

The crooks Kaspersky talked about knew this, and they took full advantage of it. To spread their bogus messages, they simply created Google Calendar events, and they invited a large number of Google users. The invitation popped up in the targets' inbox, and because it was automatically generated by Google's internal systems, it was not screened by the spam filters.

The consequences could be significant

Although it's happening way too slowly, users are becoming more and more aware of the dangers that surround them. Fewer and fewer of them, for example, are likely to open an email sent by a stranger, which is not good news for the cybercriminals. When the said email comes from a legitimate Google service like Calendar, however, things are a little bit different, and if the crooks create a more believable scenario, they could end up with a rather successful scam operation.

Kaspersky's experts said that you can modify some settings and avoid seeing the fraudulent invitations. To do that, open https://calendar.google.com/, click the Gear icon in the top-right corner, and select Settings. Go to Event settings, and from the Automatically add invitations drop-down menu, select No, only show invitations to which I have responded. You also need to make sure that Show declined events checkbox is not selected.

That way, the invitations won't appear unless you approve them. The experts do warn, however, that with this configuration, you might also miss events that are of genuine interest to you. Even if you are willing to deal with this, you should treat every single invitation the way you treat emails – with a healthy dose of proverbial salt.