Spammers use Google Calendar to relay messages

Spammers are using Google Calendar to send spam meeting invites, according to two security companies.

The invitations are actually Nigerian advance-fee or lottery scams, experts said. The email invites are personalized, with a different link sent to each user, which makes URL-based filtering difficult.

“The invite comes in email as if to schedule an appointment,” Fred Touchette, senior security analyst for message security firm AppRiver, told on Thursday. “If you click [to] accept, it is added to your calendar and gives the spammers another opportunity to get at you again.”

The invitation is delivered as an .ics file, which could easily exploit a person's computer for malware, Touchette said.

It is difficult to discern the spam invitation from a valid one because the difference in the subject header is subtle, experts say.

In addition to Google Calendar - which is part of Google Apps - being used as a spamming vector, the junk mail is unusual because of the large volume sent so far.

According to anti-virus firm BitDefender, there is usually a testing phase to determine response rate first.

“While the spam was sent in large numbers, its relevancy is from the social engineering technical standpoint,” Vlad Valceanu, head of anti-spam research BitDefender told on Thursday. “It gains a lot of more traffic and credibility because it was sent by Google, a reputable source.”

This could increase the risk of infection, he said.

“People tend to believe in messages coming from Google,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.