Cyber criminals have unearthed a new vector of assault to utilize during phishing campaigns. Calendly, a free scheduling app, permits malicious actors to use email to lure the victim to a meeting with the title and link they choose. This increases the authenticity of the phishing email as it seems to come from a legitimate firm.
Earlier this year in February, security analysts at INKY, an email monitoring firm, discovered specific instances where the phishing actors titled the meeting "You have received a new fax document" with an embedded link to "preview" the document. The link instead brought victims to a webpage that looked like a Microsoft site but actually was set up to steal Microsoft account credentials.
The webpage also contained a common methodology employed by attacker in newer phishing campaigns to ensure credentials are free of typos, in which the victim is lured to enter their credentials twice, due to the credentials being "invalid.”
The victim is then sent to the domain of their email address to minimize the likelihood of realizing the compromise and reporting it as phishing. According to INKY, majority of the methodologies employed in this campaign are standard, the use of Calendly has not been previously spotted.
“The app is committed to protecting users against phishing attacks with built-in security tools such as a next-gen web application firewall, anomalous traffic pattern alerts as well as fraudulent IP tracking capabilities,” the Calendly spokesperson stated.
“In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”
Calendly has also detailed a couple of steps that should help users improve their security. The company advises reviewing the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent by Microsoft but came from a non-Microsoft domain. Another red flag would be prompting a user for credentials to copy and send back to their command-and-control (C2) infrastructure.
To protect against credential harvesting, another option is to use a password manager. The use of password manager is a simple method to avoid entering credentials into malicious phishing websites, due to the phishing domain not being the same as the impersonated websites. A password manager will not autofill the password, and will alert the users that the website they're on is not authentic.
