Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malicious Calendar Subscriptions Are Back?

Published: 2021-09-17
Last Updated: 2021-09-17 09:09:15 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Did this threat really disappear? This isn’t a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. Being a dad, you can imagine that I always performed security awareness with my daughters. Since they use computers and the Internet, my message was always the same: “Don’t be afraid to ask me, there are no stupid questions or shame if you think you did something wrong”.

A few days ago, my youngest one came to me and told me she had the impression that her iPhone was hacked. After a quick check and reassuring her, I switched my dad's cap to the handler one and had a deeper look.

She told me that a pop-up was displayed on the screen and clicked on “Ok” too quickly. It was an unwanted calendar invitation and she subscribed to a spam feed. Her calendar became quickly flooded with events:

They are in French but easy to understand. They pretend to notify you about viruses found on the device and, using reminders, they keep the pressure on the victim:

If you visit the proposed link, you'll get more annoying ads pages, etc. This time hopefully, nothing very malicious but, seeing the latest iOS vulnerabilities[1], this technique could be used to deliver exploits. To get rid of all those messages, you just need to unsubscribe from the calendar.

In conclusion, already read carefully all popups displayed on your mobile phones (obviously on any type of device!).

[1] https://support.apple.com/en-us/HT212807

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Phishing 101: why depend on one suspicious message subject when you can use many?
Sep 16th 2021
1 day ago by Jan (0 comments)

Hancitor campaign abusing Microsoft's OneDrive
Sep 15th 2021
2 days ago by Brad (0 comments)

Microsoft September 2021 Patch Tuesday
Sep 14th 2021
3 days ago by Renato (0 comments)

Shipping to Elasticsearch Microsoft DNS Logs
Sep 11th 2021
6 days ago by Guy (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
4 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
6 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 month ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)