What You Should Know About Gmail and Google Calendar Malicious Spam Invites
By Jake Rossen
With an estimated 1.5 billion users, Google’s Gmail service is so widely used that any misuse of its features can have far-reaching consequences. As Forbes contributor Davey Winder points out, one feature in particular--Google's Calendar function--could conceivably lead to spam invites.
Google Calendar, which is accessible via Gmail, notifies users of scheduled appointments that are either manually inserted or created from an email invitation. The problem, Winder explains, is in Calendar allowing anyone to schedule a meeting with a user without email notification and Gmail allowing those events to be automatically added to Calendar. Because Gmail users assume the invites must be legitimate, they might click on a pop-up notification about a fraudulent event, or a link within a fraudulent event, that leads to a malicious attack site. In extreme cases, the links can lead to portals where bank or credit card information is solicited.
In an example used by Black Hills Information Security, which discovered the flaw, a Calendar user might receive a notice about an “all-hands” meeting starting in a few minutes along with a link to information that will be discussed at the meeting. Feeling a sense of urgency, a user may not examine the reminder too closely, click the link, and be transferred to a site with malicious software.
Though the vulnerability has been known and publicized for years, Google is only recently taking steps to address it, announcing via a help forum post that they’re working to reduce the potential for spam or malicious links to be passed along through the service.
Until then, it’s best for users to be more diligent when it comes to interacting with the Calendar function. Under the Settings > Event Configuration settings, “Automatically add invitations” should be disabled; the option for showing invitations users have responded to should be enabled. It’s also advisable never to follow any link from a Calendar email from an address or entity you don’t recognize.