With its growing popularity and central role in managing daily tasks, Google Calendar has become a prime target for cybercriminals. Recently, cybersecurity experts at Check Point revealed a new exploitation method where malicious actors hijack Google tools such as Google Calendar and Google Drawings. The latter manipulate the content of certain emails which appear legitimate because they are directly generated by Google Calendar.
Cybercriminals modify “sender” headers, making it appear that emails were sent via Google Calendar on behalf of a known and authorized person. This malicious campaign has already targeted nearly 300 brands with 2,300 phishing emails detected by cybersecurity researchers in just two weeks.
Threat Summary
As mentioned previously, these phishing attacks exploit the functionality of Google Calendar, integrating links that redirect users to malicious Google Forms.
However, with better detection of malicious Google Calendar invitations by security solutions, cybercriminals have adjusted their strategy by exploiting the features of Google Drawings to continue their attacks.
Motivations of cybercriminals
The goal of these attacks is to manipulate users into clicking on links or downloading malicious attachments. This way, cybercriminals can then steal sensitive, personal or professional data.
This information, disclosed completely unintentionally, is quickly exploited by cybercriminals. They allow them to carry out credit card fraud, unauthorized transactions and other similar illicit activities. Furthermore, this data can be used to bypass the security measures of other accounts and thus expose the victim to more risks and even more serious consequences.
For businesses and individuals alike, this type of cyberattack can cause significant stress and have lasting repercussions, both financially and psychologically.
Attack Execution Techniques
As mentioned above, initial emails often contain a link or calendar (.ics) file to Google Forms or Google Drawings.
Users are then tricked into clicking another link, usually disguised as fake reCAPTCHA or help buttons.
After clicking on the link, they are redirected to a page that looks like a cryptocurrency mining platform or bitcoin-related support page.
But in reality, these pages are designed to orchestrate financial scams. Once on the page, users are tricked into going through a fake authentication process, disclosing personal information, and providing banking or payment details.
The phishing campaign described below begins with an email sent via Google Calendar. The majority of these emails precisely mimic the format of official calendar notifications, while some adopt a custom format, designed to better deceive recipients:
If the invitations come from known contacts, the user is more likely to fall for the trap, especially since the rest of the interface seems perfectly normal and believable.
Block this attack
Businesses that want to protect their users against these types of attacks and other similar threats should consider the following recommendations:
Advanced email security solutions. Solutions such as Harmony Email & Collaboration, for example, offer effective protection against phishing attempts, even when leveraging popular platforms like Google Calendar or Google Drawings. These tools incorporate sophisticated features including in-depth attachment scanning, URL reputation checking, and anomaly detection using artificial intelligence.
Carefully monitor the use of Google-related third-party applications. Choose cybersecurity tools that can detect suspicious activity on these applications and alert your business in real time.
Create strong authentication mechanisms. To strengthen security, one of the key measures is to deploy multi-factor authentication (MFA) to all business accounts. This approach helps ensure a higher level of security by making unauthorized access more difficult, even if credentials have been compromised.
Additionally, it is essential to deploy behavioral analysis tools that can identify unusual login attempts or suspicious activities, such as browsing to cryptocurrency-related sites.
For individuals concerned about protecting their personal inbox against these scams, here are some practical recommendations to follow.
Beware of fake invitations: If an invitation contains unusual information or asks you to take special steps you’re not used to like filling out a CAPTCHA, don’t respond.
Carefully analyze the content of messages received: take the time to think before clicking on a link. To check the URL, hover over it and check its destination. If possible, enter the URL directly into your browser or search for it on Google to access the site safely.
Enable two-factor authentication (2FA): For Google accounts and any other repositories of sensitive information, this measure adds an extra layer of security. Even if credentials are compromised, 2FA can prevent cybercriminals from accessing the affected account.
When asked about these attacks, Google said: “We advise users to enable the known senders setting in Google Calendar. This option protects users from this type of phishing and flags any invitation from someone who is not in their contact list or with whom they have never exchanged emails before. »
