Phishing with Google Calendar

As you know, one of the challenges that phishers face in defrauding you out of your username, passwords and – ultimately – cash, is how can they convince you that they are legitimate?

I’m indebted to Clu-blog reader Pete who sent me details of an unusual phishing email he received earlier this week, which goes further than many in attempting to pull the wool over your eyes.

Pete, who uses Google Calendar, received the following in his email inbox.

Unlike many phishing emails it included his real name alongside his email address, and looked identical to a genuine Google Calendar invite.

And that’s because it is a genuine Google Calendar invitation to an event (just like you might receive one to a friend’s barbecue or New Year’s Eve cocktail party). And sure enough clicking on the link in the email takes you to a “real event” in your Google Calendar, which it appears a number of other people have been invited to as well.

Part of the event invitation reads as follows:

THIS Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email so that you can verify and let us know if you still want to use this account.

The Calendar invite then encourages you to respond with your Google username, password and date of birth.

Remember, you really are on Google’s Calendar website. You haven’t been taken to a fake site posing as Google, but alarm bells should definitely be ringing in your head at this point.

It should be obvious to everyone that Google is very unlikely to send out an email of this nature, and that it wouldn’t ask you to confirm whether you wanted your account to continue by accepting an invitation on your Google Calendar.

Furthermore, is it really likely that Google customer service would have an email address like (where XXXX is a four digit number)?

What’s happened here is that a scammer has created a Gmail account with the name “Customer Varifaction” (another spelling mistake which should have raised suspicion) and added these people as guests to an event designed to steal their credentials. Google itself has then sent the event invitation email automatically on their behalf, helpfully inserting the recipients’ real names.

As with any phishing email you receive on Gmail, you should report it as an attempt to phish information from you, which will help warn the security team at Google and help others.

Fortunately Pete has his wits about him, and didn’t fall for this phishing attempt.

Thanks to Fraser in SophosLabs who had a good enough memory to recall that the problem of phishing via Google Calendar was also encountered earlier this year, as this blog post by Philipp Lenssen describes.