Researchers Find New Calendar-Based Phishing Campaign

Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.

The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject “Fault Detection from Message Center,” from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.

When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft’s SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.

Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.

This may be a new campaign, but it is not a new technique. A similar attack cropped up last June, when Kaspersky found attackers using Google’s auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.

This attack shows that cyber-crooks are still using the same attack vectors to deliver their scam material. Cofense also points out that using legitimate domains designed to host user content is a common tactic, and a perennial problem for the likes of Microsoft and Google. It gives the attackers an air of legitimacy because they get to take advantage of these sites’ built-in SSL certificates, which add the reassuring green padlock icon to the side of the URL in a browser’s address bar.

We’re 1-fix, we can help you secure your business

At 1-fix, we take a realistic approach to technology – ensuring our client’s systems are best protected.

If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take.