New research from Check Point has revealed how cybercriminals are bypassing email security measures by using Google Calendar and Drawings to send seemingly legitimate invites containing malicious links.
The study highlighted how cybercriminals are bypassing email security policies that previously flagged malicious calendar invites.
Many of the emails look legitimate because they appear to directly originate from Google Calendar and the calendar files (.ics) include a link to Google Forms or Google Drawings.
Check Point said that after observing that security products could flag malicious calendar invites, cybercriminals evolved the attack to align with the capabilities of Google Drawings.
The malicious actors modify “sender” headers, making emails look as though they were sent via Google Calendar on behalf of a known and legitimate individual.
The aim of the attack is to allow for the theft of corporate or personal information.
Once a target clicks on the link included in the calendar file, they are then asked to click on another link, which is often disguised as a fake reCAPTCHA or support button.
After clicking on the link, the user is forwarded to a page that looks like a cryptocurrency mining landing page or bitcoin support page.
These pages are actually intended to perpetrate financial scams, Check Point noted. Once users reach the said page, they are asked to complete a fake authentication process, enter personal information and eventually provide payment details.
After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities.
The stolen information may also be used to bypass security measures on other accounts, leading to further compromise
Commenting on the findings, Google stated, “We recommend users enable the ‘known senders’ setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.”
Other recommendations for organizations to safeguard users from this type of attack includes:
- Implementing advanced email security platforms that can block sophisticated phishing attempts
- Monitoring the use of third-party Google Aps to warn your organization about suspicious activity
- Switching on Multi-Factor Authentication (MFA) across business accounts
- Deploying behavior analytics tools that can detect unusual login attempts or suspicious activities, including navigation to cryptocurrency-related sites
Image credit: Mojahid Mottakin / Shutterstock.com