Security specialists and networking engineers are starting to warn users about a dangerous new type of social engineering attack that impacts those who use online meeting applications. Attackers that gain control of a compromised email or messenger account have been able to generate large numbers of forged calendar invites, which they can then send out to a large number of people all at once. As soon as someone who clicks on these invites enters their information, a remote machine makes note of it and sends it back to the bad actors who were behind the attack in the first place.
Arguably, more people use online meeting services now than ever, which makes these sorts of attacks particularly concerning. According to one study, Zoom alone logs over 3.3 trillion minutes of usage every year and that number is likely to grow. Due to the privacy features of some apps like Slack and Discord, it can be difficult to know how many people are on a server unless you’re in it yourself. That means some users may be exposed to these kinds of social engineering attacks without many of their coworkers even being aware of the fact.
It’s this concern in particular that has many people in the cybersecurity industry on the edge of their seats.
Leveraging Calendar Invites as an Attack Vector
Highly skilled website imitators have been able to fashion realistic-looking calendar invite pages that appear like they come from any of the popular services that are being targeted by these attackers. Users of online meeting services generally have full sized contact lists, meaning that someone who gained control of one of these would be free to send out a huge number of invites nearly instantly. These invites would, at least theoretically, look like they came from a legitimate source.
Depending on how realistic they looked, they could encourage outside users to give up their email credentials or surrender contact details related to file sharing services attached to their meeting application. Those who work from home might be sharing information via something like DropBox or OneDrive. If that’s the case, then they may have few qualms about sharing their login information with an otherwise legitimate looking login screen. Once they enter it, however, a bad actor could suddenly start uploading infected material that they could share with other people.
To make matters worse, comparatively little work has been done to secure most digital calendar apps. A great deal of development in the space has been to solve other unrelated issues that had plagued them since they first started to become popular. Developers who’ve already felt beleaguered over these problems are now being asked to address potential security leaks.
Patching Calendar Apps Against Social Engineering Attacks
Engineers are finding it difficult to patch these leaks, due in no small part to the fact that they’re usually based more around a perceived level of trust than actual technical limitations. In many cases, the attacks themselves are limited to someone spoofing someone else’s account and then asking for account details in an otherwise open chatroom. As long as people don’t ever put their contact details into a form that is run by someone other than the people providing a service, these attacks are unlikely to take place. Technical staff are primarily working to educate consumers about the danger of sharing credentials.
Individual users who are looking to do something in the meantime might want to explore other options. Few commercial-grade security products are robust enough to deal with these new threats, so they may wish to look at Lifelock alternatives for identity theft protection, which may offer features not seen in more popular applications. These can help users to mitigate the damage done if they’ve found themselves in a spot after providing contact information to a fraudulent recipient.
Some may be surprised that people continue to fall afoul of these kinds of schemes in 2021, especially considering how much attention has been paid to them in the past. Bad actors have a new trick up their sleeves that’s making it easier to fool even jaded netizens, however.
Convincing People to Surrender their Details
Once a person has had an account stolen for whatever reason, bad actors could potentially do a fairly good job of acting as them. By using special Unicode characters, they could make a fraudulent URL look like it actually came from the servers of the app in question, which could ensure that even the most seasoned of users may give up their credentials. Security specialists have begun looking at ways to tighten up the Unicode text protocols to reduce the risk of this happening.
In the meantime, users are asked to be vigilant and ask themselves whether someone would actually need a password or other information after they’re already logged into an app.