Google Blogoscoped


Google Calendar Phishing  (View post)

Ionut Alex. Chitu [PersonRank 10]

Thursday, June 26, 2008
11 years ago4,253 views

<< It was sent with a layout that looked very official, and it even had an actual event from my calendar listed in the information (grayed out in the screenshot in the top right). Now this one was a bit more peculiar, because who else but Google would know my private calendar events? >>

That information is displayed by Google so you can make an informed decision.

<< It got my name right... might be just luck, as my name is included in my mail address. >>

The name is also displayed by Google when you send invitations using Google Calendar. This is the standard format of an invitation from GCal:

[Invitation] Event Name @ Event Date (Event Sender)

And the invitation includes:

<Your Name>, you are invited to
<Event Name>

<Event Date>
<Event Location>
Calendar: <Calendar Name>

<Event Details>
More event detailsĀ»
Will you attend?

Philipp Lenssen [PersonRank 10]

11 years ago #

[Edit: to clarify what happened, I added one sentence describing that I was then added to this event as guest which caused the event invite to be sent by Google.]

Tony Ruscoe [PersonRank 10]

11 years ago #

I guess it's kind of related to this: ...

Shelly S [PersonRank 0]

11 years ago #

There are a couple of minor typos/grammatical errors that set off my internal alarms. While it's always possible for someone at Google to make errors of that nature, phishers almost always do.

Ionut Alex. Chitu [PersonRank 10]

11 years ago #

<< a couple of minor typos/grammatical errors >>

There are a lot of things that should make you realize that the mail is not from Google.

* the mail is sent from *[put at-character here]
* there's no Gmail customer care
* it's stupid to send a calendar invitation to verify an account
* Google has other ways to verify if you use an account
* Google wouldn't randomly close accounts
* Google wouldn't ask for your password

Ianf [PersonRank 10]

11 years ago #

Philipp-the-carnivore wrote:
> BBQ at Susans place

Who's Susan? ;-))

(As for the so-called "Invitation".... the grammatical errors are a dead giveaway something's fishy here.)

Juha-Matti Laurio [PersonRank 10]

11 years ago #

Nice to see that Google is aware (we hope that they are aware of!) via Gmail's anti-phishing feature.

Mysterius [PersonRank 10]

11 years ago #

It always puzzles me when phishers spend so much time and ingenuity plotting their dastardly methods...

... and then fail to spell/grammar-check. What gives?

MichaelR [PersonRank 0]

11 years ago #

So what are these typo's then exactly ?
(Yup, i am not American..)

Lode [PersonRank 0]

11 years ago #

What is the phising here? How would they get your password if you accept the invitation?

Philipp Lenssen [PersonRank 10]

11 years ago #

> What is the phising here? How would they get your
> password if you accept the invitation?

It is not meant to look like an invitation per se, I think – rather, the invitation approach is just a trick. What they actually expect you to do is hit the reply button and then fill out the user name and password (and more) in the reply, as text in the blanked fields. Ionut says "it's stupid to send a calendar invitation to verify an account" but the point is that users may not necessarily understand that it's an invitation in the first place if they do not read through all of the email: rather, they may skim over the email and read the "you are invited to VERIFY YOUR ACCOUNT" bit as just another way of saying "please verify your account" (not as in "approve this event").

Naturally, just skimming over an email and not checking it in detail should never be done if you provide a password, and in fact, you should not provide any password at all in an email reply or by hitting the link to a site through an email. But phishers don't phish for very security aware people, they fish for those who don't know about phishing...

Mograham [PersonRank 0]

11 years ago #

Thank you for sending a warning for all who use Google. Very thoughtful and considerate. You never know, in a weak moment, when you might answer such a request. There is a certain amount of natural curiosity in all of us.
Thanks again.

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!