Do you use Google's Gmail and/or Google Calendar? Do you ever get calendar invites sent to you from customer service for any reason?
A recent discovery by Sophos' Graham Cluley reveals an incident of a message being sent in the form of a Google Calendar invite that is totally bogus. The message is a poor attempt at phishing where it invites you to attend to a fake event. Not only was this message found to be illegitimate but it stands out like a soar thumb with the multiple misspellings including the sender's name, "customer varification". Yes, that is how they spelled "verification", with two a's.
The sender does do one thing well. The calendar invite looks identical to a real google calendar invite message. Other than that it is obvious that a message sent from email@example.com is not actually from Google's Customer Service. Don't you think they would have used an actual google.com address ie: firstname.lastname@example.org? Maybe this is a case when a "hacker goes wrong" or maybe he is partying a little too hard for this New Year's party.
Below are the images of the phishing message
[images source: sophos.com]
The above Google Calendar Phishing message reads like the following:
THIS Email is from Gmail Customer Care and we are sending it to every Gmail Email User Accounts Owner for safety. we are having congestions due to the anonymous registration of Gmail accounts so we are shutting down some Gmail accounts and your account was among those to be deleted.We are sending you this email so that you can verify and let us know if you still want to use this account.
Later we find out that this message's ultimate goal is to obtain personal information of yours by asking that you respond with your Google username, password and date of birth. Furthermore, the phishing message does not take you to some phishing website or malicious web page as you may expect a phishing message to do. You land on the Google Calendar site but if you are not bright enough to notice that this message is fake from the get-go then you may make the mistake of sending your personal information to a (obviously drunk or stupid) hacker.
In the past, phishing attempts have been much more sophisticated. It just so happens that someone may fall for this trick and become this attacker's latest victim but it sure isn't going to be you because you can spell "verification" correctly.