Security threats surrounding Google applications, specifically Gmail and Calendar, are never far from the headlines, and for good reason: these platforms are a prime target for cybercriminals and hackers. But what are the latest threats you must be aware of, and how are they best mitigated? Don’t worry, we’ve got you covered.
Google Calendar Security Cyber Attacks—Change Gmail Options To Mitigate
A recent alert from Stu Sjouwerman, the chief executive officer and founder of human risk management specialists KnowBe4, warned of an ongoing attack campaign that is targeting Google users by way of the abuse of Google Calendar invites. “Attackers only need your Gmail address to send you an invite,” Sjouwerman said, “and the event will be placed in your calendar by default.” This is far from the first time that such tactics have been used by threat actors. Indeed, I have written about just such abuse of Google Calendar invites at Forbes.com for some years now. However, it’s worth reading a Popular Science report referenced by Sjouwerman to get up to date with the latest threat tactics.
Mitigating these attacks is relatively simple, according to Sjouwerman: head to the Google Calendar settings and the event settings, switch the automatically add invitations option to only show invitations to which I have responded. That’s step one. Step two involves going to the events from Gmail option and unchecking automatically add events from Gmail to my calendar. Doing so will, however, impact functionality as genuine automatic invites will also be disabled. It’s that old choice between usability and security again; only you can decide which takes priority.
The calendar spam on display in the recent campaigns is annoying but generic phishbait,” Sjouwerman said, warning that “it’s easy to imagine how this technique could be used in more targeted and sophisticated attacks.”
Google advises users with an eligible Google Workspace subscription can use email verification for appointment schedules to prevent unwanted appointments. “You can ask guests to verify their email address before they schedule an appointment in Google Calendar” Google said, “This is only required for users who aren’t signed in to a Google Account.” More information regarding Google Calendar privacy options can be found here.
Similar warnings have recently been made about ClickFix attackers using fake Google Meet pages, so the interactive meetings attack surface is certainly opening up and something to be aware of.
Check Point has now also published a report into a new Google Calendar notification attack that has been found bypassing email security policies.