Graham Cluley warns people about a new wave of phishing attempts being sent via Google Calendar. These are legitimate mails, receiving via Google Calendar, from Google’s mailservers, looking just like a real invitation for a meeting or party. In fact, it is just that. A phisher creates a fake Gmail account, sets up a meeting in his Google Calendar account with a text that asks you to send some account information, and invites lots of people. This lets Google do the hard work (delivering the phishing mail) and makes sure it comes from a “trusted” address.

googlecal-2-bigThis is a trend that I expect to continue in 2009. We’ve already seen Microsoft’s services being abused, and there are many other possibilities now that most captchas are broken. Take, for example, the Google Calendar service; the phishing attempt is still a bit simple, but you can also use it to send spam from Google’s servers using the same technique:

  • Create a Gmail account
  • Create a Calendar event
  • Add your URL’s to the event description
  • Invite the people you’d like to spam
  • Google will spam them for you, including hyperlinks for your spamvertized site.

Don’t believe it’s that easy? You thought Google would check the contents of the messages you sent? Creating the following message took less than a minute, and with captchas effectively broken it should be easy to automate.


The “more details” link takes you to this page:


As you can see, Google has even created some nice clickable links. This will make fighting spam increasingly hard; simply blocking all mail from Google’s servers will lead to angry users, and since most of the message will look the same as other legitimate calendar invitations, blocking based on the contents of the message is almost impossible to do. We’ll have to trust the Google’s of this world to tackle this problem on their side of the fence.