Scammers are phishing in a new pond.
As identified by Kapersky Labs in a report from Wired, bad actors are taking advantage of a Google Calendar setting that lets anyone place event invites in another userās calendar.
In the scam, an event will pop up in a userās Google Calendar; the description will invite them to take a survey or claim a cash reward. That includes a link, prompting users to enter personal and financial information.
Google Calendarās architecture unfortunately gives these schemes the ring of legitimacy, since simply having an event on your calendar could trigger notifications about it. Users have to be diligent about knowing whether they or someone they know has placed the event on the calendar, or if itās from an unknown source.
Mashable employee Dana Froome recently received a phishing event invite. Froome is diligent about her personal Google Calendar, using it to manage everything outside of work. So when she got an event invitation for something she clearly had not placed there, she was confused, and then disturbed. I live by my personal calendar, Froome said. I was taken aback by what it was. It felt invasive.
Froome searched her Gmail for the event invitation, but could find nothing there, so she deleted the invitation.
As Wired points out, users can guard against the attack by changing their Google Calendar privacy settings: Open Google Calendarās settings on a desktop browser and go to Event Settings > Automatically Add Invitations, and then select the option āNo, only show invitations to which Iāve responded.ā Also, under View Options, make sure that āShow declined eventsā is unchecked, so malicious events donāt haunt you even after you decline them.
Google makes it easy to invite people to events without the need for tedious logistical email chains. But where thereās a public setting, thereās a scammer ready to exploit it.
WATCH: Scammers use tax-themed emails to infect PCs with malware
source:mashable.com