While software makers and app developers continue to make their wares safer and less open to attack, you can never get complacent with digital security—and you need to be aware of all the different methods of attack that bad actors use to get at your accounts.
Those methods include targeting Google Calendar: An app so basic and everyday, you might never think it could be used to channel malware in your direction. But with millions of users worldwide, and a reliable tech brand name behind it, Google Calendar is a platform hackers and scammers regularly take aim at.
The ways in which Google Calendar can be targeted vary, but there are some common themes across these types of attacks—and some general rules you can abide by to minimize your chances of being caught out.
How Google Calendar Malware Works
The majority of Google Calendar scams involve links to fraudulent websites designed to trick you out of personal details: The classic digital con. These links can either be embedded in Google Calendar event descriptions, or in emails purporting to be Google Calendar invites: In both cases, a lot of care will be taken to make the links appear normal and genuine.
A standard Google Calendar invite comes with links to both the event itself and the list of guests—the event is also included as an .ics file attachment to open in a calendar app. Events themselves, meanwhile, can come with links embedded in the description and files from Google Drive attached. All of these elements can be taken advantage of in some way by bad actors.
Take the recent security vulnerability reported by Check Point as one example: The attack works by spoofing a genuine Google Calendar invite over email. Responding to the invite leads to a reCAPTCHA form or support button—and after that, the intended target is prompted to enter personal details on an official-looking site, details which can then be used to access other accounts or make unauthorized purchases.
Google Calendar invites have been consistently used to try and dupe users, and if you’re in an organization with a lot of meetings and appointments to keep track of, the dangerous ones can easily blend in with the authentic ones. On top of that, hackers may leverage information they have about your company or your contacts to make invites seem more plausible—from the names of executives to the addresses of offices.
