Spammers are using Google
Calendar to send spam meeting invites, according to two security companies.
The invitations are actually Nigerian advance-fee or lottery scams, experts said. The email invites are personalized, with a different link sent to each user, which makes URL-based filtering difficult.
“The invite comes in email as if to schedule an appointment,” Fred Touchette, senior security analyst for message security firm AppRiver
, told SCMagazineUS.com on Thursday. “If you click [to] accept, it is added to your calendar and gives the spammers another opportunity to get at you again.”
The invitation is delivered as an .ics file, which could easily exploit a person's computer for malware, Touchette said.
It is difficult to discern the spam invitation from a valid one because the difference in the subject header is subtle, experts say.
In addition to Google Calendar - which is part of Google Apps - being used as a spamming vector, the junk mail is unusual because of the large volume sent so far.
According to anti-virus firm BitDefender
, there is usually a testing phase to determine response rate first.
“While the spam was sent in large numbers, its relevancy is from the social engineering technical standpoint,” Vlad Valceanu, head of anti-spam research BitDefender told SCMagazineUS.com on Thursday. “It gains a lot of more traffic and credibility because it was sent by Google, a reputable source.”
This could increase the risk of infection, he said.
“People tend to believe in messages coming from Google,” he said.