Phishing attacks can come via Gmail Calendar Invites

Fall for my crafty trick

Users of Google’s Calendar app are being warned about scams that take advantage of the popularity of the free service and its ability to schedule meetings easily. Spammers/phishers are continuing to use, in ever growing numbers, unsolicited Google Calendar notifications to trick user into clicking phishing links.

Here’s how it works: Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to meet.google.com for more details. Once clicked, it’s back to the usual tactics of trying to infect the user’s endpoint with malware and so on.

Users have long been warned about their interaction with email and the web. Now it’s important to add Calendar invites to the list. This latest method demonstrates how attackers are continually updating their tactics, requiring organizations to remain equally persistently educated to enable users to make smarter security decisions.

The most important thing is to be attentive.

  • Do not open messages from unknown senders.
  • Never accept invitations from people you don’t know.
  • Do not tap or click links in messages you weren’t expecting.

Note, if you do start to get spam invites, consider taking additional steps.

First, report the event as spam by double clicking the event you’d like to report, then at the top, click More Actions >  Report as Spam

Next, change your default settings for Calendar.

By default, Google Calendar will add events to your calendar whenever you receive an invite, even if you never clicked ‘accept’. As long as someone can blast invites your way, it’s easy for them to sneak garbage onto your Google Calendar.

Worse, even if you diligently decline events you don’t recognize, Calendar will still display events you’ve declined, meaning those phishy links will stick around, too.

You can read more about possible calendar default setting changes to consider to sidestep unwanted invites in this article.

You can read more about how Google Calendar, Google Forms and other Google services are being used by spammers et al in this article.

You can also check out Google’s page on Calendar feedback.

Google’s Chromebook App Hub

Chromebook AppHub

An idea that’s been in the works for quite some time, Google has made it official — the Chromebook App Hub went live on Wednesday, June 19th and is their online resource to help educators, administrators and developers work together to learn about Chromebook apps and activity ideas for schools. 

Google is inviting educators to share ideas on how to use apps in their classrooms, and will be reviewing submissions quarterly — let ’em know via this form.

Looks like a promising site to learn about and consider apps that might be worthwhile. Below is a snapshot of part of their search filter:

AppHub Filter view
A screenshot of their filter search

“GENIAL.LY” IS A MULTI-PURPOSE TOOL

Genial.ly is more than just a free tool to create infographics.

The site – which is FREE to use – lets you create an amazing array of interactive tools, including games, quizzes, annotated photos, and presentations – just to name a few.

Consider checking it out at https://genial.ly/!

[Heads-Up] The FBI Warns Against Phishing and Advises How to Spot Attacks

The FBI’s Internet Crime Complaint Center (IC3) released a PSA warning that attackers are exploiting people’s trust in sites that use HTTPS. Cybersecurity training has in the past rightly encouraged users to look for the lock icon next to the URL in the browser, but many users still believe this icon is proof that the site they’re on is legitimate.

While the lock is important, it only means that traffic to and from the site is private; the lock DOES NOT ENSURE that the SITE’s operator is trustworthy.

FBI RECOMMENDATIONS:

The following steps can help reduce the likelihood of falling victim to HTTPS phishing:

  • Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.

See the Public Service Announcement (PSA) here.