Cybercriminals are scheduling fake meetings in people's calendars - here's why

(Image credit: Shutterstock)

If you receive a calendar invite to view new fax documents, be careful - it’s most likely a phishing attack, attempting to obtain your identity and login credentials for your corporate accounts.

The warning was given out by cybersecurity researchers from INKY which detailed the phishing campaign first detected toward the end of February 2022.

It all starts with a hijacked email account, which uses a compromised identity to send out a message containing an invitation to “view newly received documents”, via a link. 

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Calendly hacked?

On the surface, it is a Calendly calendar link. Calendly was most likely used, INKY believes, due to the fact that anyone can create a free account, without needing to enter their credit card details.

Here’s where the plot thickens. Calendly’s invite pages are customizable. That allowed crooks to create a fake fax document notification, with all of the usual fax attributes (number of pages, or file size, for example), after which they used the Add Custom Link feature to insert a malicious link on the event page. 

Clicking on the “preview document” link takes the victim to the credential-harvesting page. In this particular example, the page is an impersonation of Microsoft. Hovering over the link shows where it really leads, though: https://dasigndesigns[.]com/ss/updation/index.html, a hijacked site, listed in Google, Firefox, and Netcraft threat feeds, INKY reminds.

Should the victim enter their login credentials here, they would end up with the attackers, while the victim would see an error message claiming an incorrect password was entered. After the second attempt, the victim would be redirected to their own domain, something the researchers described as a “clever touch” that minimizes suspicion. 

INKY, in this example, was redirected back to

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.