Millions of Google users are getting a warning from Check Point security researchers this week who have identified a new attack method which uses a combination of Google Calendar, Drawings, Forms and Gmail in an attempt to phish users and bypass email security policies.
As reported by Forbes, attacks using this method have been employed roughly 2,300 times over the course of a two week period. The threat actors behind them started by modifying sender headers to make emails appear that they were sent through Google Calendar from a known and legitimate individual. Initially, this method was used to exploit the features within Google Calendar to link to malicious Google Forms, then evolved to align with the capabilities of Google Drawings after it was realized that security products were able to flag these malicious calendar invites.
In the malicious Form or Drawing, another link is presented, often a fake reCAPTCHA or support button but either way, the end goal is always payment fraud. At least 300 brands so far have been impersonated by hackers in this manner in attempts to phish victims.
Stu Sjouwerman, CEO and founder of human risk management specialists KnowBe4, warned of an ongoing attack campaign targeting Google users by way of Calendar invites, saying: “Attackers only need your Gmail address to send you an invite and the event will be placed in your calendar by default.”
In a report written by Sjouwerman back in 2019, he details these kinds of attacks; fortunately mitigating them is simple enough.
How to stay safe
Simply head to the settings menu in Google Calendar and switch the option to automatically add invitations to “only show invitations to which I have responded.” Then, go to the events option in Gmail's settings and uncheck “automatically add events from Gmail to my calendar” – however, be forewarned this will also disable legitimate events.
Google advises those with a Google Workspace subscription to use email verification for appointment schedules to prevent unwanted meetings. This way you can ask guests to verify their email address before they schedule an appointment in Google Calendar. Google also recommends users enable the known senders setting within Google Calendar, which helps defend against this type of phishing attack by alerting the user when they receive an invitation from someone who is not in their contact list or someone they have not interacted with from their email address in the past.
Additionally, when protecting yourself from common phishing attacks best practices still apply: The easiest way to stay safe from phishing is to avoid clicking on any email or message from an unknown sender. Also, make sure you know the policies for your company and double check the sender’s email address: Is this a regular known source or person?
You also want to make sure you’re using one of the best antivirus software options and that it’s kept current and up-to-date. Likewise, when picking an antivirus, you one see if you can get a security suite which includes access to one of the best VPNs with browser-level privacy protection included. Check that your mobile devices are protected against malware and threats too. We have recommendations for the best Android antivirus apps, but because of Apple’s restrictions there’s no equivalent for the best iPhones.
Abusing Google's services to deliver malware and to launch attacks on unsuspecting users is nothing new. However, if you aren't aware of these tactics, you or someone else you know could easily fall for them. This is why it's important to stay up to date on all of the latest attack methods used by hackers even if you consider yourself security savvy and practice good cyber hygiene.
More from Tom's Guide
- Data breach at Texas Tech University leaks personal data of 1.4 million patients
- Millions stolen from LastPass users in massive hack attack — what you need to know
- Microsoft just fixed 72 Windows security flaws — update your PC right now
