Synced web calendars can pose an overlooked security risk as attackers use event notifications to spread malicious links, Bitsight reported Tuesday.Bitsight TRACE revealed insights from its investigation into 390 sinkholed domains that were receiving calendar sync requests from 4 million iOS and macOS daily, finding that an abandoned or compromised site could easily be used to push malicious calendar files to subscribed devices.Some of these abandoned domains originally provided synced calendar subscriptions for legitimate purposes such as tracking German holidays, FIFA sporting events or important religious dates in Islam.Devices subscribed to these calendars send regular sync requests to the calendar-hosting domains, which would respond with .ics calendar files to be added to the user’s digital calendar application, such as Google Calendar or iCalendar.Bitsight noted that Google Calendar sends these requests through a proxy, while iCalendar sends them directly from each individual device, which is why Bitsight’s sinkhole only counted the number of iOS and Mac devices making the requests.If an attacker gained control of one of these expired domains, they could respond to these ongoing sync requests with their own .ics files containing malicious content, such as fake security warnings or reward offers that would appear as events on the victim’s calendar and possibly as push notifications.Links attached to these calendar events could lead to phishing or malware pages. Further investigation into specific requests being received by the sinkholed domains revealed networks of malicious activity related to calendar syncing subscriptions.
Bitsight discovered webcal query requests pointing to domains that appeared to trick users into subscribing to calendar or push notifications under the guise of a CAPTCHA prompt. The researchers found these pages to be part of malicious redirection chains originating from legitimate compromised WordPress sites.Tracing these domains through indicators of compromise (IoCs) such as SSL certificates with overlapping subjects uncovered more than 1,300 domains and 50 IP addresses tied to the push notification/synced calendar fraud campaign. The pattern of WordPress site injection and redirection to notification scam sites was noted to match the IoCs and tactics, techniques and procedures (TTPs) of Balada injector campaigns. Traffic to the malicious sites was also found to come from links in PDF files and Android Package Kits (APKs) disguised as popular games, revealing multiple avenues for directing victims to the notification/calendar spam sites.
Application security, Phishing, Threat Intelligence, Third-party code, Exposure management

Synced calendars a potential threat vector for millions of devices


Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



