Scammers are always looking for new ways to hide their intentions, both from message recipients, as well as automated email filters. One new trick Commtouch has started to see recently is the use of calendar-update messages generated from legitimate sites, such as Google or Yahoo. Since these messages need to be generated manually, they only fit certain types of schemes, 419 (trying to steal someone’s money by offering them an easy score) is one such type. Others that could use this method are spearphishing, which is fraud messages targeted specifically at a particular recipient.
The following sample message was analyzed by Commtouch spam analysts. It is a calendar message generated from Google, complete with two attached ICS files. ICS is a standard way to store calendar information in a text file on the Internet. The format is described in RFC 2445. The format is used by ICal on the Macintosh and in the Mozilla Calendar project. Other programs like Lotus Notes can also generate .ICS files for synchronizing calendars. It’s a bit unusual to include two ICS files in a single message, however perhaps this fraudster simply wanted to ensure he covered all his bases.
The ICS file itself also includes a 419 message. Notice that the ICS when opened in Outlook includes the usual “Accept” “Tentative” and “Decline” buttons, just like a regular calendar invitation.
Just to show that scammers are equal opportunity users, taking advantage of whatever freely available tools are available, Commtouch also came across similar uses of Yahoo calendar. Here is an example:
Why would someone go to the trouble of sending out spam manually from Google or Yahoo calendar? For the same reason someone might send out a scam from Kodak Easyshare, or any other well-known legitimate site. They are trying to cloak their evil intentions from both users and email filters. If an email filter blocked all ICS files, or all emails from Google or Yahoo!, it would cause an unacceptably high level of false positives.