A phishing campaign that makes use of the Google Calendar features was recently distributed to the users of the service. The same techniques were employed by another Google Calendar-based phishing scam that made the rounds during May and June 2008.
According to a report
by Graham Cluley, senior technology consultant for anti-virus vendor Sophos, the scam consists of event invitations that attempt to socially engineer accounts and passwords out of unsuspecting users. The invitations originate in e-mails of the form firstname.lastname@example.org addresses (# represents a digit), which have been registered by the scammers specifically for this purpose.
The event is called “DEAR ACCOUNT USER,” and the invitations are addressed to the users' names that have been provided for the e-mail accounts. Many times, this happens to be a person's real name and, as a result, it increases the credibility of the invitation. This outcome is facilitated by Google, as the invitations are not fake and are really sent through the Google Calendar service.
Choosing to view more details will take a user to the calendar event page that claims to be an alert from Gmail Customer Care, which informs them that their account has been selected from deletion. “We are having congestions due to the anonymous registration of Gmail accounts, so we are shutting down some Gmail accounts and your account was among those to be deleted.” The message also claims that, in order to avoid having the account closed, a user needs to confirm that they are still using it by submitting their username, password, date of birth, and country.
There are several obvious reasons why individuals should be on the alert when it comes to this e-mail. For one thing, despite the scammers' efforts to increase the credibility of the Google Calendar event invitation, the name displayed for the sender's e-mail address is misspelled - “Customer Varification.” The second thing that should set off alarm bells stands in the inconsistencies and poor grammar of the event description. For example, the message claims that this alert has been sent to all Gmail users, but then goes on to suggest that one has received it because their account was amongst the ones selected for removal. From this it would result that Google intends to delete all Gmail accounts, something that is extremely unlikely.
In addition, users with some online experience should know that Google, or other major service provider, would never send out e-mails or warnings like these. However, the fact that such campaigns are still in circulation suggests that many don't. Finally, another more subtle piece of evidence is the sender's e-mail address itself. Why would Google have a Customer Service e-mail address that has four digits at the end?
A highly similar phishing scheme
that displays many of the elements of this one was analyzed by Philipp Lenssen on his “Google Blogoscoped” blog, on June 26. The same scam was reported by a user on the board
of a Google Talk discussion group, on May 25. “As with any phishing email you receive on Gmail, you should report it as an attempt to phish information from you, which will help warn the security team at Google and help others,” Graham Cluley advises.