CyberInsecure.com

Fake Meeting Invitations Spam In Google And Outlook Calendars

An increasing number of spam emails being sent disguised as meeting invitations. Spammers are using the meeting invite features of both Google Calendar and Microsoft Outlook to send messages advertising, for example, the latest designer watches and prescription drugs. The messages are recognized and viewed by many mail clients as proper meeting invitations and actually get added to the calendar of the user who receives the spam, unless they specifically decline the request. It’s been becoming more and more common and has been recently reported by Security Fix on The Washington Post, Websense and ISC.

In some applications with default settings this kind of spam processed in ways that allow a spammer, or potentially a malicious attacker, to use methods for delivering their content that are not so commonly seen or as easily recognized by users as junk or malicious content. Many users have learned that it’s bad to click on links in emails, but it’s less frequent for them to be told not to click on links in meeting requests, or in the body of the meetings in their calendars.
While some email systems like GMail/Google Calendar and a compatible version of Outlook handle meeting requests as a different type of message specific to meetings, many email systems handle them as normal emails sent with particularly formatted attachments that follow a standard known as iCalendar. Applications that support these sorts of attachments are common, with most of the major email clients which also have some sort of calendar integration, supporting them in some way, including Microsoft Outlook, Mozilla Calendar (as well as Sunbird and Lightning), and Apple’s iCal. Some web-based clients, like GMail, also support these messages. By the standard, these files are plain text, UTF-8 encoded files with an extension such as .ical, .ics, etc., though this can vary from one implementation to another. With Outlook, the problem seems to originate the program itself. When Outlook receives a meeting invite, it blocks off the time period requested on a provisional basis until the recipient either accepts or declines the invite.

Google Calendar users can set it to show only those events that they have created or accepted. According to Google, here’s how to do that:

1. Click on “Settings” at the top of any Google Calendar page
2. Select the “General” tab if it isn’t selected already.
3. In the “Automatically add invitations to my calendar” section,
select “No, only show invitations to which I have responded.”
4. Click on “Save.”

Calendar users can report calendar spam by visiting this link.

To stop the automatic addition of a meeting when the e-mail is received in Outlook, clear the check box for “Process requests and responses on arrival” as follows:

1. On the Tools menu, click Options.
2. Click Email Options.
3. Click Tracking Options.
4. Click to clear the “Process requests and responses on arrival” check box.

This still doesn’t stop the creation of a tentative meeting if the e-mail is opened or viewed in the reading (preview) pane.

There are many other applications that use these invitations. Users should be aware that this is possible, regardless of what applications they might be using that could be spammed or attacked using these techniques. Just because users see a meeting request and not an email, doesn’t mean that it’s any safer to click on links.

Share this item with others:

Posted in Google, Spam |  Print This Post