Summary: Recent research by Check Point reveals how cybercriminals are leveraging Google Calendar and Drawings to bypass traditional email security measures, sending malicious invites that appear legitimate. This sophisticated tactic aims to steal sensitive information and perpetrate financial scams.
Threat Actor: Cybercriminals | cybercriminals
Victim: Organizations and individuals | organizations and individuals
Key Point :
- Cybercriminals modify sender headers to make malicious invites appear legitimate.
- Links in calendar invites lead to fake reCAPTCHA or support pages designed to harvest personal information.
- Stolen data is used for financial scams, including credit card fraud and unauthorized transactions.
- Google recommends enabling the ‘known senders’ setting in Google Calendar to mitigate these phishing attempts.
- Organizations should implement advanced email security, MFA, and behavior analytics to protect against such attacks.
New research from Check Point has revealed how cybercriminals are bypassing email security measures by using Google Calendar and Drawings to send seemingly legitimate invites containing malicious links.
The study highlighted how cybercriminals are bypassing email security policies that previously flagged malicious calendar invites.
Many of the emails look legitimate because they appear to directly originate from Google Calendar and the calendar files (.ics) include a link to Google Forms or Google Drawings.
Check Point said that after observing that security products could flag malicious calendar invites, cybercriminals evolved the attack to align with the capabilities of Google Drawings.
The malicious actors modify “sender” headers, making emails look as though they were sent via Google Calendar on behalf of a known and legitimate individual.
The aim of the attack is to allow for the theft of corporate or personal information.
Once a target clicks on the link included in the calendar file, they are then asked to click on another link, which is often disguised as a fake reCAPTCHA or support button.
After clicking on the link, the user is forwarded to a page that looks like a cryptocurrency mining landing page or bitcoin support page.
These pages are actually intended to perpetrate financial scams, Check Point noted. Once users reach the said page, they are asked to complete a fake authentication process, enter personal information and eventually provide payment details.
After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities.
The stolen information may also be used to bypass security measures on other accounts, leading to further compromise
Commenting on the findings, Google stated, “We recommend users enable the ‘known senders’ setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.”
Other recommendations for organizations to safeguard users from this type of attack includes:
- Implementing advanced email security platforms that can block sophisticated phishing attempts
- Monitoring the use of third-party Google Aps to warn your organization about suspicious activity
- Switching on Multi-Factor Authentication (MFA) across business accounts
- Deploying behavior analytics tools that can detect unusual login attempts or suspicious activities, including navigation to cryptocurrency-related sites
Image credit: Mojahid Mottakin / Shutterstock.com
Source: https://www.infosecurity-magazine.com/news/cybercriminals-exploit-google