Schedule A Demo

Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery

For many people in the professional world, digital calendars are an essential time-management tool. In many cases, to properly synchronize, multiple people or organizations will share an external digital calendar, making use of a third-party calendar service that shares events using calendar files, such as the .ics files used by the iCalendar app. This is normal enough, and not normally insecure, but creative threat actors have learned to leverage these calendar subscriptions to create new attack vectors, requiring a new level of diligence from users.

There are many potential sources of third-party calendar subscriptions. Apart from business use, some game services might deliver calendar files reminding users of in-game events or promotions. This allows for a new form of social engineering: by impersonating one of those sources, a threat actor can induce a user to accept a calendar subscription. The ICS files contain active domains hosted on external servers, an intended function meant for synchronizing multiple calendars. Once the calendar is shared, the device will continue to automatically make sync requests to the domain, allowing cybercriminals to exploit ongoing calendar subscriptions to promote content to users without requiring any approval, by simply modifying the .ics file delivered during the sync process. This allows for the delivery of malicious social engineering content to users through their calendars. In a proof of concept developed by researchers at BitSight, a test .ics file was developed and pushed to a test calendar. By modifying the file through syncs, the researchers were able to push alert messages that resembled legitimate communication to the target device, containing links that could lead to the pushing of malicious content.

According to the researchers, this attack works best against Apple iCalendar applications. This is because Google Calendar proxies its sync requests, whereas iCalendar does not. This potentially allows threat actors to use constant sync requests as a way to track user activity and geolocation on Apple devices. While this is a relatively new phenomenon, researchers have tracked similar activity going back at least as far as 2022. Users should be aware of the third-party calendars they are subscribed to and be on the lookout for potential calendar fraud.

Share

Related Posts

justin-shen-uQCbc_H-xCY-unsplash

Electric motorcycles and scooters face hacking risks to security and rider safety

bw-blog_un-1764705703306-e20b4b482ce1

AI model Claude Opus turns bugs into exploits for just $2283

curated-lifestyle-8LbGqfZ8vLY-unsplash

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks

Singapore

Blackwired Pte Ltd

175A Bencoolen Street,

#06-01 Burlington Square,

189650, Singapore.

Americas

Blackwired (US) Inc.


Great Northern Corp Center II,


24950 Country Club Blvd,


North Olmsted, Ohio,


44070, United States.

UK | EU

Blackwired (UK) Ltd


Caledonia House,


89 Seaward Street,


Glasgow G41 1HJ,


United Kingdom.

Copyright © All Right Reserved

Privacy Policy