Google confirms the security issue affecting Gmail and Calendar users

Google investigating security problems that can affect 1.5 billion Gmail and Calendar users

Google investigates security issues after Calendar and Gmail scam alerts. Google finally warns people about scams and other phishing schemes affecting Google Calendar and Gmail users all over the world.^[1] Such issues were noticed back in June, when criminals started taking advantage of a default Gmail Calendar feature that allows criminals to affect applications and launch credential-stealing campaigns.^[2]

At the time of writing, Google hasn't fixed the issue, and Calendar users were left with functionality problems leading to specific scam campaigns like Your iPhone Xs is ready for PickUp.^[3]

Right now, it seems that Google is taking the issue more seriously. However, further investigation is needed for any actions, and the in-depth analysis is required before any preventative measures and security protection can be managed. After all the researcher and user reports, Google responded to spam campaigns and security issues stating:

We're aware of the spam occurring in Calendar and are working diligently to resolve this issue. We'll post updates to this thread as they become available.

It all started back in 2017

Now, when the company is getting involved, the issue may be fixed finally, but it was a long time coming to this. Since the security problem was known for a while now, sensitive information could be obtained by fraudulent people or even criminals. Spotted by researchers at Black Hills Information Security back in 2017, the possible threat has not been addressed by Google until now.

By using the name of Google, scammers behind this campaign are hiding and can blind victims into revealing their personal or other valuable details like banking credentials. The number of victims may get bigger until needed actions will take place, especially if you multiply that by Gmail and Calendar users known to date.^[4]

Unfortunately, even though these campaigns are called email spam or scam attacks, there are more questions about particular purposes and possible results. It is tied with the state of security in Google and can lead to breaches or more serious issues. Targeted attacks held by cybercriminals or even terrorist can be set to infect devices of government institutions.^[5]

The functionality of the sophisticated Google Calendar scam

Scammers are misusing the feature of the automatic Gmail Calendar that allows adding events and sending notifications for the user. Planned emails have invitations and reminders delivered alongside the main message. When the invitation is received, the victim sees the popup notification on the smartphone.

The fake message is announcing the particular prize or contest, so the victim is more eager to open the received email and visit the provided link. This social engineering-based^[6] campaign shows messages on mobile devices, and other machines so can affect a variety of computers and phones.

You can end Gmail running through all your emails and adding events automatically by altering the Event settings of your Google Calendar. This will also help you eliminate such scams as Your iPhone is ready for pickup.