Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.
The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject “Fault Detection from Message Center,” from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.
When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft’s SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.
Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.
This may be a new campaign, but it is not a new technique. A similar attack cropped up last June, when Kaspersky found attackers using Google’s auto-add feature. In that attack, smartphone users would see the invitation as a pop-up invitation, displaying a link to a phishing URL that asked for their credit card data and personal information.
This attack shows that cyber-crooks are still using the same attack vectors to deliver their scam material. Cofense also points out that using legitimate domains designed to host user content is a common tactic, and a perennial problem for the likes of Microsoft and Google. It gives the attackers an air of legitimacy because they get to take advantage of these sites’ built-in SSL certificates, which add the reassuring green padlock icon to the side of the URL in a browser’s address bar.