I've received a bunch of calendar invites for "Free i PhoneXs from AppleStore" with a malicious link. Seems like this is now being used for phishing attacks.
Was having the same problem. Fixed it by disabling the adding events from Gmail automatically according to the Google instructions. I would rather choose what hits my calendar anyway.
I wish you could whitelist instead of just having a black or white option. My SO and parents I can trust to inject events (keeping track of stuff they've planned but I forgot is 90% of my use of Google Calendar honestly) but now that spammers have discovered Calendar as another place to spam/phish it's less hands off.
I'm getting the same spam/events. What's really weird is I'm pretty sure all of these emails are getting sent to spam but gmail/gcal is still adding the events to the calendar.
I can confirm it's being actively exploited this morning (I had a few folks I know complain about it). I think I should point out that the article was written in 2017 (!!!), and Google responded that this is a "feature".
I've been getting a lot more recently - seemingly being added from Gmail spam (either that or I'm getting directly injected calendar spam and the same as emails coming through). I don't want to turn off syncing as actual bookings being automatically added are useful.
I'm wondering about this as well as I've been seeing it for at least a year.
Are the events added before the email is sorted into spam? If so I wish the calender hook didn't trigger until the email reaches my "real" inbox. But I have no insight into the gmail lifecycle.
Got some too. What's super weird though, these calendar invites appear to have been sent from my iCloud email address to my gmail address, and also appear in the sent folder of my @me.com address: https://i.imgur.com/tz2TUh5.png
Anyone else can check in your gmail spam folder if you have those emails too and where they came from?
In that case, I'm going to hazard a guess that your iCloud email address was actually compromised, and is being used to send it to every address in your contacts.
Same happened to me last night, I reviewed all my access rights on security.google.com, couldn't find anything wrong. Reviewed my calendar access rights, couldn't find anything wrong.
If you go to the website you can mark it as spam. Then all occurrences of events from the same sender will be deleted. However there's nothing to stop spammers from sending multiple separate events from "different" senders...
Hey everyone - Seth here from Google. I'm sorry to hear this is happening. This post is from November 2017, and we've taken steps to reduce calendar spam. If you have specific invitations that came with an email, please forward the entire email to abuse@google.com. If it did not come with an email, please copy the calendar details and a screenshot into an email and send it to abuse@google.com.
If it comes via email and you do not recognize the sender, please also mark them as spam. If you do recognize the sender, please reach out and encourage them to change their password and revoke any third-party apps they might have authorized to use their account.
I've never been able to track down an email and if I do it's from calendar@google.com or something along those lines. These are people somehow inviting you directly through an invite and you never get an email.
I had this happen about 5 times over the last 2 weeks. I've disabled everything I could in all of my calendars now (including Samsung which I missed).
Incredibly frustrating because I can't even BLOCK the person/bot sending this.
Quite sure my account is not compromised, have 2fa and a keepass password. The invites appear to be sent from my own e-mail address. Is this a separate issue? No third part access to calendar either.
In the last weeks, I had several events on my Google Calendar that I did not create or accepted. They looked like they were in Russian, but I can't be sure. I marked as spam and deleted them, of course, but the next week a different one appeared. Anyone else is going through the same and have any advice?
Same here, and I suspect this article explains the mechanism.
For weeks, I've been getting escalating numbers of events. It is up to 4 or 5 new invites per day, each with daily repeats. My calendar settings are locked down (eg "Events from Gmail" off) and already have 2FA on the account. Next step for me is to delete gmail calendar entirely.
I went to bed last night with a clean calendar, this morning I have 3 spam invites - 2 in Cyrillic alphabet, one "You have won iPhoneXs. Gotta love 3:55 AM wake-up alerts...
Had the same happen, searched around and it seemed to be caused by the Gmail feature that automatically creates events from invitation emails you receive, even if they land in spam. Spammers seemed to be using that to their advantage, so I just turned the feature off.
EDIT: The original article covers this and more, go read it :)
Got hit by this. Super annoying. It's not through email. It just showed up in calendar. There's no way to know the original scheduler and no way to mark it as spam.
There's a variant to this, the calendar event triggered by an event invitation. Again no way to delete it except decline the event. Should have a report spam button in the calendar app.
I second this. It took awhile to get to a web interface, and in the meantime, the event and links were large enough in daily / details view to constitute a legitimate mis-tap threat vector.
There has been a fresh wave of folks exploiting it recently (I have had a few people complain in the past 12 hours about calendar spam). Google apparently stands by the fact that it is a "feature"
It is convenient if it's not getting spammed. I use it to passively keep track of things my SO or parents have planned like coming up to visit or other random events. With calendar injection they just show up and I don't have to constantly wade through my over cluttered gmail (side effect of having it for almost 15 years now).
Lots of things are convenient until they are abused. SMTP without SPF or DKIMS is convenient if its not being spammed. Http is fine for authentication until its being eavesdropped on.
There is a middle ground. Allowing random people to plop stuff on your calendar via an API call is not the best idea. I personally have had to tell five different people how to stop this sort of spam, I don't think they'd agree it's convenient.
A Report SPAM button on calendar invites would seem to be in order, so I don't have to manually delete each of these from the same address, and so Google can ban the offending account quickly.
The fact that we now need a spam button on our calender is ridiculous.
How long until advertisers pay <calendar provider> to add events to our calendars such as take Mom to <resturant> for Mother's Day, Watch <movie> on its release day, Go To <store> on its grand opening, etc?
(Please take this as a warning, not a "feature" suggestion.)
Kudos to BHIS for the post and detail. I've been seeing these pop into my Google Calendar randomly for the past few weeks; obvious phishing attacks. You can easily delete them of course, but definitely an annoyance.
Same here, mine was from a spam email that hadn't been caught properly by Gmail and was later removed. Really great article, didn't know about the 3 settings which would have stopped me getting the notification as not accepted.
> Oct 31 – Google responds stating it’s a feature and the settings provide users the ability to disable
I mean, I can understand the benefit of the feature. Isn't it impractical though that the only options are everything (including spam/injected events) or nothing? Why even have the feature then if they're not going to provide any mitigation?
Try logging into the firebase console. I had been added to two spam projects there. Filed a support request 2 days ago to get removed from them (as I cannot remove myself) and got a response saying 'we are looking into this'... now silence.
3) Click Event Settings and set "Automatically add invitations" to "No, only display invitations to which I have replied"
Edit: if you want to disable event auto-add from Gmail while you're at it, click Events from Gmail then untick "Automatically add events from Gmail to my calendar"
If you have fully shared your calendar (i.e. to a spouse / partner) then even though they are not displayed for you they are still displayed to your partner.
There remains no decent way to ensure no-one sees the spam.
This is mentioned in the article along with a way for spammers to get around it.
"There is an option that states “No, only show invitations to which I have responded”. This prevents the first method of injecting events from working. However, BHIS found that it is possible to set the target’s response status to “Accepted” using the Google API. This effectively bypasses this security setting."
My bad, it was a little hidden, sentence beginning "There are a few settings that can be set within Google Calendar to prevent events from automatically being added to the calendar".
What I want to know is why the hell did Google ever think this was a good idea? I hardly even use Google Calendar and yet I had a spam notification about an "iPhone X" delivered direct to me.
The most amazing thing about this is only that spammers didn't exploit it earlier. Or maybe they did but kept a lower profile?
It's a convenience thing. Without spam invites it's super nice to have events from friends and family pop up without having to make sure I didn't miss anything.
Friends and family, sure. But why should a random stranger who has never contacted me before be able to place events in my calendar without my consent? Why is that even the default behavior?
The easy fix would just be to change the default behavior to not showing invites from unknown addresses.
I believe API abuse can be reported -- https://support.google.com/code/contact/cloud_platform_repor...