It’s so easy to carelessly click on something that looks either normal or interesting and suddenly wind up with serious problems. The first article deals with malicious invitations within Google Calendar, the second with pictures in Gmail that can lead you astray.
Way back in 2017, two researchers at Black Hills Information Security disclosed how a vulnerability in the Google Calendar app was leaving more than a billion users open to a credential-stealing exploit. Google apparently didn’t fix this at the time as it would have caused “major functionality drawbacks” for Calendar users, despite those researchers demonstrating how they had weaponized the vulnerability at the Wild West Hackin’ Fest. Fast-forward to June 11, 2019, and I reported how the vulnerability was still putting 1.5 billion Gmail users at risk. A Google spokesperson responded to my story by insisting that “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.” That statement went on to say that Google offers “security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.” Now, it seems, Google is finally taking this security problem somewhat more seriously.
How does the Google Calendar attack work?
Gmail users are finding themselves on the wrong end of a sophisticated scam which leverages misplaced trust through the use of malicious and unsolicited Google Calendar notifications.
Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. Combine these two facts and users find themselves in a situation whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.
When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it. Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.
It’s wrong to think of this as just being spam, as Google appears to want to classify it, or for that matter just another phishing scheme. “Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,” Javvad Malik, security awareness advocate at KnowBe4, said when I wrote that first report. Malik told me that to gain access to a building, for example, an attacker could use a calendar invite for an interview or a building maintenance appointment which, he warned, “could allow physical access to secure areas.”
Now, it would appear, Google is finally taking this threat methodology somewhat more seriously. In a posting to the Google Calendar Help Community forum, Lesley Pace, a Google Employee, states that “We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available.”
Although I am sad that Google is still referring to this as a spam issue, rather than explicitly a security one, at least it shows that Google not only confirms there is a problem after all but also that it is committed to fixing it.
That same posting included a link to “learn how to report and remove spam,” which is worth reading as it contains hands-on advice for every Google Calendar user who is concerned about getting caught out by this particular attack. Which, in my never humble opinion, should be every Google Calendar user.
This includes delving into Calendar settings and changing the “Event” configuration from “Automatically add invitations” to “No, only show invitations to which I have responded.” Users are also advised to remove the automatic adding of events function from Gmail by configuring the “Events from Gmail” option so that the “Add automatically” box is unchecked.
If you are a user of calendar services from Apple or Microsoft, then there are similar issues that need resolving. Some good advice for Apple Calendar and Microsoft Calendar (via Web/Outlook Web Access) can be found courtesy of security awareness specialists PhishingTackle.
Google responds to this article
“Spam calendar invitations can include both unwanted and malicious content that deceive users similar to spam email,” a Google Cloud spokesperson says, “we are not aware of any security bugs due to the software itself. As such, it would be misleading to characterise this as a technical security vulnerability. Google is constantly improving our ability to keep unwanted and malicious content from our users.”
However, Beau Bullock and Michael Felch, the security researchers from Black Hills who first disclosed the problem in the “Google Calendar Event Injection with MailSniper” report published November 1, 2017, refer to this as an “ event injection vulnerability.” The researchers showed, for example, how it was possible to circumvent the “No, only show invitations to which I have responded” calendar setting by changing the target’s response status to “Accepted” using the Google API.
One thing I hope we can all agree on, is the fact that this goes beyond the realm of just “spam” and crosses into pure security issue territory. Threat actors can use this method to send invites with malicious intent, leveraging the trust that a calendar invite brings to the party as opposed to an unsolicited email. Users are becoming increasingly aware of the need to be suspicious of links in unsolicited emails, the same cannot be said of calendar invites.
Updated September 10: This article has been updated with advice for Apple and Microsoft users facing similar problems.
Updated September 11: This article has been updated to include a statement from Google along with my response.
This Gmail trick keeps spammers from tracking you
Google’s mail service blocks and scans images for suspicious content before you see them.
If you’ve ever accidentally or curiously clicked on a spam image when looking through your Gmail messages, it’s a good possibility you’ve been tracked by spammers. Google addressed this years ago with a setting for Android that it recently added for iPhone, too. Turn it on and it stops attachments like images from automatically loading when you open an email. The setting also keeps unsolicited email from tracking you, which can help protect you from spammers. Plus, it’ll help load your emails faster.
Here’s how to disable images in Gmail from automatically opening on your phone.
Block external images on iPhone
2. In the top left, tap on the three-line hamburger menu.
3. Select Settings from the menu.
4. Tap your Gmail account at the top.
5. Select Images.
6. Choose Ask before displaying external images.
7. When you open an email that contains images, they’ll be hidden. If you want to see them, tap Display images.
You can change this setting at any time by switching back to the Always display external images setting.
Block auto-loading images on Android
1. On your Android phone or tablet, open the Gmail app.
2. In the top left, tap the three-line hamburger menu.
3. Tap Settings and select your Gmail account.
4. Under the Data usage category, tap Images.
5. Tap Ask before showing.
6. When you open an email that contains images, they’ll be hidden. If you want to see them, tap Show pictures.
You can change this setting at any time by switching back to the Always show setting.
Want more Google tips? Check out theseto minimize regret, frustration and spam.