Careful! That calendar notification could be loaded with malware - here's how to stay safe

News
By published

Calendar invitations should be treated as emails, researchers say

Calendar page pinned in a calender on date business meeting schedule
(Image credit: Shutterstock/ACTS_DATA STOCK)
  • Calendar subscriptions can be hijacked, injecting phishing links or malware into user schedules
  • Bitsight found 347 domains affecting around 4 million devices, mostly in the United States
  • Not a bug, but risky functionality; users must manage subscriptions carefully

A convenient feature in popular calendar applications can be abused to trick people into clicking on malicious links or giving away sensitive information, researchers are saying.

Most popular calendar apps allow users to subscribe to external calendars, allowing third parties, such as businesses or organizations, to add events directly into the subscribers’ schedule. That can be pretty much anything, from discounts and sales events to public events, holidays, and more.

However, if a business shuts down, or their domain expires, the calendar subscription does not expire with it. If a cybercriminal manages to obtain the domain, they can add events directly into people’s calendars, including links to phishing pages, or sites hosting malware. The same goes for businesses whose infrastructure was hijacked or hacked into.

Risky business

This is according to security researchers Bitsight who claim this is a real problem, currently affecting around four million devices, as the attacks abuse the trust people have in different brands and organizations.

“Our research began with a single domain that we sinkholed, recording 11,000 unique IP addresses per day,” the experts said.

“This domain functioned as a server for a subscribed calendar that distributed German public and school holiday events, and that got our attention. Why would a domain for German holidays, with .ics files, be available?”

They ended up discovering 347 domains, including FIFA 2018 events, Islamic Hijri calendars, and others, connected to approximately four million unique IP addresses, most of which were located in the United States.

Bitsight stresses that this is not a vulnerability or a bug in the calendar apps. It is merely a functionality that inherently comes with risks, and as such, they should be managed by the end users. They also said that the four million possible targets is a severe understatement, since it only covers a fraction of the iPhone ecosystem and doesn’t even include Android.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.