Spam is annoying enough when it gets through filters and clutters up your inbox. But unwanted, unsolicited junk email is now starting to find its way into some users' calendars, too.
Spammers are now crafting new types of email messages that exploit a feature in Google's email and calendar integration. The feature automatically adds meeting invites to your calendar. The meeting appears as an outline, until you accept it. But it is still added and displayed in your calendar.
Clicking the event description reveals the spam message, which often contain malicious links. The intent from those sending the junk mail hope users will click through to a specially crafted website. Doing so confirms the account the spam was sent to is active, which signals to the sender to add that account to more lists where users will subsequently start receiving more unsolicited emails.
The web page users are taken to after clicking often try to trick people into filling out forms, giving up personal information in the process. On some specially crafted websites, even something innocuous as hovering over an image can initiate malware to be downloaded to your computer or device. In most cases a site installs tracking cookies, which are not malicious but certainly raise privacy concerns.
In a recent interview, a Google spokesperson told ZDNet their terms of service prohibit people from using their services to spread malicious content. They also said they offer warnings of known malicious URLs to those who use their Chrome web browser.
"We remain deeply committed to protecting all of our users from spam," the spokesperson said. "We scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive and Google Photos, as well as block spammers from contacting them on Hangouts."
How to remove spam from Google Calendar
The good news for Google Calendar users is that a simple option can help stop the spam, but still keep most of the functionality. Here's how you can change them in three simple steps.
- Click the Gear at the top of the Google Calendar page and choose "settings."
- Select "Event settings" from the list on the left.
- Change the "Automatically add invitations" option to "No, only show invitations to which I have responded" from the list.
Changing this setting will still add a meeting to your calendar, but only after you accept the meeting invitation. For Gmail users, this can be performed from the subject line without having to open the email.
Calendar spam is not new
While Google Calendar spam is growing, spamming meeting invitations in online calendars is not new. Spammers were able to exploit a similar Apple feature in 2016. Like the Google Calendar spam, a simple iCloud setting change is all that is needed to remedy the loophole. In a case noted by ZDNet, a calendar notification for Ray-Ban Black Friday pricing popped up on some phones and people who clicked the event became victims of credit card theft.
Hackers and spammers are constantly evolving as they attempt to exploit features andpeople use on a daily basis. When it comes to apps and services, free doesn't always mean free.