Think twice before clicking on that Google Calendar link you got in your email. A recent report from Check Point says that black hat hackers have figured out how to abuse Google Calendar to send phishing emails.
While Check Point has not revealed exactly who is behind this new hack, its potential to scale rapidly is significant. Google Calendar is used by 500 million people worldwide, and Google Workspace has more than 3 billion monthly active users.
Bad actors behind this new social engineering campaign are also manipulating Google Drawings — a free, web-based application that allows users to create, edit, and share diagrams, charts, and other content.
Let’s look at how this hack works and what best practices and steps users can take to avoid falling for this malicious yet interesting scam.
Key Takeaways
- Hackers are abusing Google Calendar and Drawings to send convincing phishing emails, tricking users into clicking malicious links.
- Attackers modify sender headers and use multi-step redirects to make the scams appear legitimate and increase their success rate.
- Google Calendar’s widespread use makes it a prime target for attackers, and this campaign demonstrates the evolving nature of phishing threats.
- Users should double-check all Calendar invites, avoid clicking on suspicious links, use strong passwords, and implement multi-factor authentication to protect themselves.
Google Calendar Manipulated For Phishing
On December 17, cyber security researchers at Check Point revealed that criminals were using Google Calendar links and Google Drawing to lure users into giving away their information.
Check Point researchers explained that the emails sent by these bad actors are very convincing and appear legitimate.
The reason why they look like the real thing is not just because of the email content design — which impersonates Google Calendar emails — but because black hat hackers are modifying “sender” headers. These modified headers create the illusion that the email was sent by Google itself.
Check Point discovered that this group has already sent more than 4,000 of these phishing emails out into the wild in just four weeks. Check Point also claims that about 300 brands have been impacted by this campaign but did not disclose who these brands are.
Black hat hackers are also actively re-coding their attacks, as evidence shows they pivoted to abusing Google Drawings after security vendors began flagging their malicious Calendar invites.
How Does the Google Calendar Hack Work?
Knowing how this scam works will allow you to easily see the fake Google Calendar scam trick coming from a mile away. Let’s look at the ‘attack chain’ of this new Google Calendar campaign.
The attack chain in this campaign can be summarized in a couple of steps:
- Users receive an email that appears to be from Google Calendar. Calendar files (.ics) are included in this email and contain a link to Google Forms or Google Drawings.
- Users who open and click on these links will be redirected to fake pages, such as a fake reCAPTCHA page.
- Users are redirected to fake crypto pages after completing the Captcha or clicking on another link.
- In these crypto pages, users are prompted to complete a malicious authentication process, which is a front for stealing users’ personal information, including financial and banking data.
As you can see in the steps listed above, the attack chain of this threat campaign is perhaps a little sloppy and easy to spot. While almost every user might be fooled by a Google Calendar link, not anyone will give away their personal data to a crypto page they have never seen before.
But for those who do fall for the trick, the consequences are real. The data that is extracted by cybercriminals is later used to launch other phishing attacks and commit identity and financial theft. Stolen data is also often sold repeatedly on the dark web and sometimes even leaked.
The problem with this hacking technique is that cybercriminals can refine this campaign to make it much more efficient. Steps 2 to 4 of the above can easily be improved.
Hackers may reduce the number of steps and web redirects and even use malicious pages coded with self-loading code and malware.
Google Calendar Threats: A Brief History
Google Calendar abuses are not new. On Reddit, users have been complaining about spam Google Calendar emails for years.
In November 2023, Google’s Threat Horizons Report warned that hackers could use Calendar services to host command-and-control (C2) infrastructure.
To date, this technique has not been observed in the wild, but security researchers from the Google-owned cybersecurity company Mandiant have proven it can be done. The tool is called Google Calendar RAT (GCR) and can be found for free on GitHub.
Once a device is connected to a C2 attacker server, it will obey the remote commands that criminals on the other end send to the infected device. This includes receiving and extracting data.
Threat campaigns that try similar techniques on Mac users have also been identified. In February 2024, Krebs on Security found that macOS users were being sent fake Calendly invites, which, if followed, ended up quietly installing malware on their Apple computers.
What We Found on the Dark Web & Telegram Channels
Techopedia did a non-exhaustive dark web search looking for Google Calendar phishing tools or Google Calendar phishing link generators. Our search for this specific tool came back empty.
However, as we expected, we found abundant Telegram phishing channels, Telegram phishing pages, and phishing link generator bots that allow any hacker to generate phishing emails that contain fake and malicious phishing Google Calendar links.
Additionally, with these resources, criminals can also create fake web pages designed to look legitimate but coded to steal users’ data.
The Bottom Line: How to Stay Safe
There are several things users and enterprises can do to protect themselves against Google Calendar scams. The first piece of advice is to always double-check any invite to a Calendar app, whether it’s from Google or another company.
Even if the invite comes from or includes colleagues, friends, and family as CCs in the email, it should be double-checked.
Having a professional and trusted anti-malware solution can also go a long way, no matter what OS you are running.
Many of the best anti-malware providers offer state-of-the-art technologies and features that include live monitoring and email anti-phishing.
Finally, always use strong passwords, implement MFA (biometrics if possible), keep your system and apps up to date, and continue learning and reading about new hacks and cybersecurity threats.
FAQs
What is the new Google Calendar phishing scam?
How are hackers making phishing emails look legitimate?
What happens if I click on a phishing Calendar link?
How can I protect myself from Google Calendar phishing scams?
References
- Google Calendar Notifications Bypassing Email Security Policies – Check Point Blog (Blog.checkpoint)
- Threat Horizons Q3 2023 Threat Horizons Report (Services.google)
- GitHub – MrSaighnal/GCR-Google-Calendar-RAT: Google Calendar RAT is a PoC of Command&Control over Google Calendar Events (Github)
- Calendar Meeting Links Used to Spread Mac Malware – Krebs on Security (Krebsonsecurity)