How Google Calendar can be a spammer’s best friend

Last week, we explained how a feature designed to make Google Calendar easier to use can tip off your boss that you plan to ask for a raise. In short, putting some valid addresses in the subject line of your calendar—as part of, say, a reminder to "e-mail [email protected] to demand a pay raise"—automatically adds the reminder to the calendar associated with the boss' address.

None of that is new, but given the continuing risk of inadvertently leaking sensitive data to bosses, spouses, or others, it was worth repeating. After all, Google engineers have no plans of changing the behavior. It is similarly worth remembering that the behavior is regularly exploited by spammers as a means to get their messages in front of live bodies. Just paste a single message into the body of a calendar entry, fill in as many addresses as possible into the subject line, and voila, the message will pop up as a reminder on desktops and smartphones all over the world.

The image below depicts one of the scams currently circulating over Google Calendar. Again, it's not a new threat, and it's not always limited to Google's service. Similar scams have long plagued users of Microsoft's Outlook as well. Still, the image is a reminder of why you can't automatically trust something just because it's entered into your calendar.

Read on Ars Technica | Comments