Update, Dec. 18, 2024: This story, originally published Dec. 17 now includes a new attack warning from Check Point researchers about an ongoing threat that is targeting Google users via Calendar, Drawings, Gmail and Forms.
Security threats surrounding Google applications, specifically Gmail and Calendar, are never far from the headlines, and for good reason: these platforms are a prime target for cybercriminals and hackers. But what are the latest threats you must be aware of, and how are they best mitigated? The latest, as revealed by Check Point security researchers, is using a combination of Google Calendar, Drawings, Forms and Gmail in the attack methodology. Here’s everything you need to know to stay safe.
Check Point Researchers Warn Of Ongoing New Google Calendar Attack
Check Point has just published a report into a new Google Calendar notification attack that has been found bypassing email security policies. The attackers would appear to be determined to use the new attack methodologies uncovered by the researchers, with 2,300 attacks in a single two-week period, according to Check Point. This may not sound like a big deal, given that Google Calendar is used by 500 million people across 41 countries, but all attacks have to start somewhere, and this should not be a reason to dismiss the methods being employed by these threat actors. “Cyber criminals are modifying sender headers,” Check Point researchers said, “making emails look as though they were sent via Google Calendar on behalf of a known and legitimate individual.” So far, at least 300 brands have been impersonated by the attackers in their drive to “phish” their victims.
These attacks initially exploited the user-friendly features that are so useful to Google Calendar users to link to malicious Google Forms. However, the researchers said that “after observing that security products could flag malicious Calendar invites,” the attackers have evolved their methodology to “align with the capabilities of Google Drawings.” Once at the form or drawing endpoint, another link is presented, often a fake reCAPTCHA or support button. The end goal is the same: payment fraud.
Google Calendar Security Cyber Attacks—Change Gmail Options To Mitigate
A recent alert from Stu Sjouwerman, the chief executive officer and founder of human risk management specialists KnowBe4, warned of an ongoing attack campaign that is targeting Google users by way of the abuse of Google Calendar invites. “Attackers only need your Gmail address to send you an invite,” Sjouwerman said, “and the event will be placed in your calendar by default.” This is far from the first time that such tactics have been used by threat actors. Indeed, I have written about just such abuse of Google Calendar invites at Forbes.com for some years now. However, it’s worth reading a Popular Science report referenced by Sjouwerman to get up to date with the latest threat tactics.
Mitigating these attacks is relatively simple, according to Sjouwerman: head to the Google Calendar settings and the event settings, switch the automatically add invitations option to only show invitations to which I have responded. That’s step one. Step two involves going to the events from Gmail option and unchecking automatically add events from Gmail to my calendar. Doing so will, however, impact functionality as genuine automatic invites will also be disabled. It’s that old choice between usability and security again; only you can decide which takes priority.
The calendar spam on display in the recent campaigns is annoying but generic phishbait,” Sjouwerman said, warning that “it’s easy to imagine how this technique could be used in more targeted and sophisticated attacks.”
Google advises users with an eligible Google Workspace subscription can use email verification for appointment schedules to prevent unwanted appointments. “You can ask guests to verify their email address before they schedule an appointment in Google Calendar” Google said, “This is only required for users who aren’t signed in to a Google Account.” More information regarding Google Calendar privacy options can be found here.
“We recommend users enable the known senders setting in Google Calendar,” a Google spokesperson said, “This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.”
Similar warnings have recently been made about ClickFix attackers using fake Google Meet pages, so the interactive meetings attack surface is certainly opening up and something to be aware of.