A credential harvesting campaign spotted by INKY in late February attempted to lure its victims to Calendly, a legitimate and free online calendar app.
Cybercriminals who specialize in phishing attacks like to redirect people to real websites as much as possible. Using such sites lends an air of legitimacy to the scam, increasing the chances of tricking recipients. In a report on Thursday, email security provider INKY describes a recent phishing campaign that took advantage of the calendar app Calendly to harvest sensitive account credentials from unsuspecting victims.
Discovered by INKY towards the end of February, the people behind this particular phishing attack inserted malicious links into event invitations sent through Calendly. One of the reasons criminals chose Calendly may be that the site allows users to create free accounts without entering credit card or payment information. Another possible reason is that users can customize Calendly’s invitation pages, allowing scammers to insert malicious links.
SEE: “Browser-in-browser” attacks: A devastating new phishing technique emerges (TechRepublic)
To launch the campaign, the attackers sent phishing emails from various hacked accounts. Some 64 INKY customers checked their inboxes only to find these emails with a message of “new documents received” and a link to allegedly view these documents. Clicking the link would then take the recipient to an event invitation on Calendly.
The event invitation included a link called Document Preview. And this is where the scam became dangerous. Clicking this link would have taken the user to a webpage that looked like a Microsoft site, but was actually set up to steal Microsoft account credentials.
Taking the bait, INKY researchers clicked on the link and entered a fake username and password on the phishing site. The first attempt triggered an invalid password error, a known tactic where the user is told that their credentials are invalid, but those credentials are actually collected behind the scenes. A second attempt to enter credentials did not trigger the same error, but simply redirected the user to their own company’s website as listed in their email address.
In response to INKY’s findings, Calendly sent a statement to TechRepublic explaining how its app was targeted and what security methods it uses to thwart certain types of attacks.
“Security is a top priority at Calendly,” said a Calendly spokesperson. “Like other major technology providers, we have an extensive network of tools and systems, such as a next-generation web application firewall, fraudulent IP tracking and threat alerts. abnormal traffic pattern. We also recommend customers add an extra layer of protection with a password manager and two-factor authentication. In this case, a malicious link was inserted into a personalized booking page. Phishing attacks violate our Terms of Service and accounts are terminated immediately when discovered or reported. We have a dedicated team that constantly improves our security techniques, and we will continue to refine and remain vigilant to protect our users and combat such attacks.
For this campaign, the attackers used a variety of underhanded tactics:
- Trademark usurpation. Impersonating a brand like Microsoft adds familiarity.
- Collection of identifiers. Victims think they are connecting to a legitimate site but are actually exposing their credentials to attackers.
- Compromised email accounts. Attackers use and abuse legitimate email accounts to bypass security gateways.
- Dynamic redirect. Scammers use the victim’s own email address to redirect them to their own company’s website.
Recommendations to thwart an attack
To help protect you and your organization against this type of phishing attack, INKY offers the following tips:
- Always review the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent by Microsoft but came from a non-Microsoft domain.
- Always hover over a link to see its actual destination. Although calendly.com is a legitimate and safe site, you don’t normally go there to see a Microsoft notification.
- To defend against credential harvesting, one option is to use a password manager. These tools automatically compare the URL of a website with the URL stored in their database. If the two do not match, the password manager will not enter the credentials. In this case, the URL phishing site impersonating Microsoft would not have accepted the URL stored in Microsoft’s password manager.