Alarming Google Calendar Security Threat Leaves Half A Billion Users Vulnerable To Attack

Google Calendar logo on top of a laptop with a glowing display.
Beware of those Google Calendar invites as they could lead to a world of hurt if you accept them haphazardly. Security researchers at Check Point warn that cyber criminals are exploiting user-friendly features in Google Calendar to try and trick potential victims into clicking on malicious links, and that they've "evolved the attack to align with the capabilities of Google Drawings."

One reason why this latest warning is so concerning is because so many people use Google Calendar—more than 500 million people across 41 different languages. It's a deep pond for bad actors to cast their phishing bait into in hopes of luring in users who may have let their guard down during the holiday season. More than that, however, they're taking extra steps to make the ruse more convincing. And it's working.

"Cyber criminals are modifying 'sender' headers, making emails look as though they were sent via Google Calendar on behalf of a known and legitimate individual. Roughly 300 brands have been affected by this campaign thus far, with cyber researchers observing over 4,000 of these phishing emails in a four week period," Check Point states in a blog post.

Once hooked, a phishing victim is on the path to being financially scammed, as is often the case with these types of security threats. The fraudulent invite aims to trick users into clicking on another link that's often disguised as a fake reCAPTCHA or support button, the researchers say. This forwards the user to a page that resembles a cryptocurrency mining or Bitcoin support page.

"Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details," Check Point says.

Google Calendar invite.
Example of a phishing attack email (Source: Check Point)

It seems far fetched that a user would be so easily duped, but the reason it's seeing success is because the invites appear to come from known contacts. Likewise, the rest of the screen looks normal. If nothing else, IT manager should alert Google Calendar users of the scam so they can be extra vigilant.

Google has some additional tips.

"We recommend users enable the ‘known senders’ setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past," Google said in a statement.

Check Point offers up some basic tips to protect against this kind of Google Calendar attack as well, including being wary of fake event invites (duh, right?), carefully examining incoming content, and enabling two-factor authentication for Google accounts and other places that contain sensitive information (like banking sites).