Google Security Alert – Warning for Google’s 1.5 Billion Gmail & Calendar Users
When it comes to Google’s Gmail service, approximately 1.5 billion people work with it. In the meantime, the Google Calendar app has been downloaded by more than a billion times from the Play Store. Recently, the security researchers have warned that the threat actors are exploiting the popularity of both platforms with the intention of targeting the users with a credential-stealing attack. In this segment, we are going to shed some light on new security warning issued for Google’s 1.5 billion Gmail and calendar users
Lets Us Check Out What Does This Assault Contain?
Security Researchers working at Kaspersky have discovered that how the threat actors are making use of tight and automated integration between Google companies in order to target customers with malicious exploits.
The researchers confer with as a ‘sophisticated scam’, Gmail service customers are being focused primarily by the usage of unsolicited and malicious Google Calendar notifications. Any person can schedule a gathering with you, that is how the calendar software is designed to work. Gmail is equally designed to tightly combine with the calendaring performance as it receives the notification of the invitation.
A pop-up notification seems on the consumer’s smartphone when a calendar invitation is shipped to a consumer. The threat actors craft their invites to integrate a malicious hyperlink, leveraging the impression that the consumer familiarity with the calendar notification brings with it.
The researchers have seen attackers throughout that last month utilizing this trick to effectively spam users with phishing links to credential stealing sites. By populating the location and topic fields to announce a fake online poll or questionnaire with a financial incentive to take part, the threat actors encourage the victim to follow the malicious link where credit card or bank account details can be gathered by exploiting such a ‘non-traditional attack vector’. The criminals can get around the truth that people are aware of the frequent techniques to encourage link-clicking.
Now, The Question Crops Up!
Is This Only A Phishing Factor?
Javvad Malik, Security Awareness Advocate at KnowBe4 says, ‘This attack opens up the door for a whole host of social engineering attacks beyond phishing.’
Malik advised that ‘In order to gain access to a building, for example, one can put in a calendar invitation for an interview or similar face to face appointment similar to building maintenance which he warns ‘cloud allow physical access to secure areas.’
Hugo Van Den Toorn, Manager of Offensive Security at Outpost 24, concords that the hazard extends past the pure phishing realm. Specifically, this phishing attack leveraged the intended functionality of a certain mobile application. Van Den Toorn, also explains, they could have also inserted attachments with malware targeting these users, likely.
You Must Be Thinking!
How Can You Best Mitigate The Risk?
Kaspersky suggests the customers to turn off the automatic adding of calendar invites by navigating to the Event Setting menu in Google Calendar and disabling the ‘automatically add invitations’ options by enabling the ‘only show invitations to which I have responded’ one as an alternative. Additionally, it also suggested that ‘Show Declined Event’ in the View Options section can also be left unchecked.
If turning off the automated addition of events to the calendar is impractical and it is prone to be simply that for a lot of who depend on such scheduling, then Boris Cipot (Senior Safety Engineer at Synopsys), have few common mitigation recommendations. He said, ‘Interrogate every email and in this case invitation you receive. If it feels wrong, weird or unusual then inquire the person who sent this invite if they actually sent it. Also, do not click on any links or attachments. Whenever in doubt it is a wise choice to delete it. He also said that ‘Kaspersky advice should be followed and he concludes that automation is not your friend in similar to this case, so do not let your calendar app put invitation automatically into your calendar.’
Javvad Malik said, Users should validate meeting in the calendar manually and treat unexpected entries with a healthy dose of skepticism.
UPDATE: It has been delivered to my attention that researchers Beau Bullock and Michael Felch, working at Black Hills Information Security, have been the first to reveal the Google Calendar Invitation Technique. The complete story of that disclosure again in 2017 reveals how Google was informed about the vulnerability and responded by silently including a choice to disable the functionality. The researchers discovered a way to work around that and after the public disclosure and weaponizing of the vulnerability on the Wild West Hacking Fest that year. Google contacted the researchers to tell them that no ‘fix’ has been developed because ‘making this alteration would lead to major functionality drawbacks for legitimate API events with regards to Calendar.’ A case of user experience taking priority over the safety in other words.
UPDATE: A Google spokesperson has despatched the following statement regarding the new security warning issued for Google’s 1.5 billion Gmail and calendar users.
Also Read – The Other Similar kind of attack on user data are as follows: