UPDATE

A sophisticated cyberattack is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications.

The campaign takes advantage of a common default feature for people using Gmail on their smartphone: Calendar invites automatically pop up on phones, prompting users to accept or decline them.

“Cybercriminals send targets an unsolicited calendar invitation carrying a link to a phishing URL,” explained Kaspersky researcher Maria Vergelis, in a write-up on Monday. “A pop-up notification of the invitation appears on the smartphone’s screen, and the recipient is encouraged to click on the link. The website where they are directed then tells victims to enter their credit-card details and add some personal information – which is sent straight to the scammers.”

While this particular campaign – which Kaspersky observed targeting victims throughout May – has phishing designs on victims, the attack vector can also be used for other types of malicious activities, such as getting users to click on a link that downloads malware.

“This attack vector can be used for any campaign, including the spread of malicious links,” Vergelis told Threatpost. “The ability to exploit legal services which are so popular and well-known among the users all over the world (the number of potential victims is huge) [is notable]. And secondly, the idea of delivery the illegal content not only by emails, but also as pop-up notifications on the smartphone’s screen [stands out here].”

Spam and phishing threats that exploit non-traditional attack vectors like this can help criminals to reach victims who might not fall for a more obvious attack, she added. She also noted that other Google Calendar features can be exploited in similar fashion; for instance, attackers are adept at using Google Calendar to set up fake polls for which a reward is offered. In reality, the “poll” is a phishing attempt that asks for personal information.

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Vergelis. “But this may not be the case when it comes to the Calendar app, which has a main purpose to organize information rather than transfer it. So far, the sample we’ve seen contains text displaying an obviously weird offer, but as it happens, every simple scheme becomes more elaborate and trickier with time.”

In the May campaign, users were redirected to a website that featured a simple questionnaire and offered prize money upon completion. To receive the prize, users were asked for a “fixing” payment, for which they were asked to enter their credit-card details as well as name, phone number and address. The “prize” of course was never delivered.

Vergelis also pointed out that Google Calendar is not the only service that the bad guys target. Other, similar attacks have been seen using notifications from Google Photos, Google Hangouts and even commercial services like Google Ads and Google Analytics to attack targets. For instance, malicious actors can send Google Analytics users messages with an attached, malicious document, purporting to be a “visitor statistics PDF report” for an unfamiliar website; in the case of Google Photos, attackers share photographs and ask the victim to reply via email, which initiates an attack. For the recipient, it looks like a harmless email from Google Photos with the header “so-and-so shared a photo with you.”

While Kaspersky doesn’t have statistics on the number of victims, Vergelis told Threatpost that “this opportunity (a kind of ‘vulnerability’) is universal, thus scammers could use any service worldwide. The attack is not difficult to carry out. As always there should be a list of target emails whose owners are users of Google services.”

For Google’s part, a spokesperson told Threatpost: “Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse. Combating spam is a never-ending battle, and while we’ve made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts. In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome’s Safe Browsing filters.”

Mobile users can protect themselves from calendar phishing specifically by turning off the automatic adding of invitations to their calendars. And as always, if users aren’t sure whether a website they’re redirected to is real and safe, they should never enter personal information.

This post was updated June 12 at 8:51 a.m. ET to reflect comments from Google.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.