No, You Aren’t Being Invited to Win a New Car. That’s Spam on Your Calendar

Ryan Seguin

By abusing the automatic event creation feature of integrated email calendars, spammers are finding ways to send you malicious links that are harder to ignore.

Background

In June, researchers at Kaspersky wrote a detailed blog post about phishing tactics involving calendar invite spam, wherein a spammer can automatically add events to your personal calendar, with no interaction on your part, simply by sending you an invitation. All the spammer needs is your email address, either from a stolen or auto-generated list. This isn’t a vulnerability; it’s a function of your calendar working as intended.

Analysis

You are likely already familiar with seeing new events pop up on your calendar as coworkers send invitations to new meetings, regardless of whether or not you’ve seen the email that triggered the invite. This is a feature that calendar apps have enabled by default to make team collaboration swift and efficient. It’s also enabled across both business and personal accounts for all integrated calendars by default. This feature is also becoming more popular with attackers, who are using it for malicious purposes.

As Brian Krebs pointed out in his own blog:

“Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or ‘free’ items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting ‘yes,’ ‘no,’ or ‘maybe,’ as doing so may only serve to guarantee you more calendar spam.”

Solution

Google is working on a solution for Google Calendar. In the meantime, we strongly advise educating staff to be vigilant and refrain from clicking on unsolicited links. Scammers are banking on the fact that users are likely to be enticed by their messages and will click on the malicious links.

Exchange admins have full control over calendar settings and can ensure that spam invites aren’t automatically added to a user’s calendar, reducing the risk of unwitting clicks on malicious links. Managing this setting should sync with Outlook users within your organization.

Since Apple Calendar doesn’t offer an enterprise version, individual users must manage the settings on their own devices.

Note: Black Hills published a blog in 2017 that details a bypass in Gmail they call MailSniper that ignores user’s attempts to block automatic invites. At the time of publication it seems that Google has yet to fix this flaw.

Identifying affected systems

Because many modern calendar applications are cloud based with little direct organizational control over specific user permissions, the only way we’ve found for an organization to maintain control over user settings against spam is through Exchange Server administration.

As with Apple Calendar, G Suite-dependent organizations must rely on user education to mitigate risk. At present there is no option in the G Suite to manage user calendar settings beyond simple sharing permissions.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Sep 11, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.