Why You’re Going to Have to Start Filtering Your Calendar Invitations

Sometime in November, Apple users began receiving unwanted calendar invitations on their devices. These invitations featured “amazing savings” and discounts on a variety of popular products. They were, of course, spam messages — akin to those you’d find in an email inbox.

But this “calendar spam” is different than the usual phony email offer you’d receive in your inbox. For one, users would suffer more invitations if they actively rejected an invitation. The reason for this is simple: rejecting an invitation lets the spammer know a user is actively monitoring a targeted account — a ripe target for more spam. What’s worse, as The New York Times reports, is the fact that putting an end to this deluge of spam requires multiple steps and some knowledge of cloud accounts and permissions. This, likely, won’t be the last time we see new spamming techniques.

Welcome to the new and improved version of spam, where abusers get instant feedback from targets and targets get unceasing invitations to a variety of hoaxes via email, on social media and, now, in their calendars. This evolution has been long in the making. Let’s take a quick look at why.

Spammers know that, in most cases, email filters are advanced enough to detect and remove scams from a victim’s inbox. The days of copying and blast-emailing from lists on the Dark Web, for the most part, are over. Instead of sending emails, spammers are using two tools to better advertise their illicit goods: social media and built-in connectivity tools.

Spam has a strong presence on social media. Creating a fake account, whether on Facebook or Twitter, is fairly easy. Actors can then use a variety of social engineering techniques to either sucker users into spreading fake news or deals, or simply compromise an account. If successful, these attacks can be difficult to stop. A compromised account can help spammers directly relay illicit messages through chat and messenger applications. Users tricked into spreading fake content, either by liking or messaging, can make a similar impact. Regardless, both techniques are troublesome, as the illicit content spreads from trusted friends or family.

But social media spamming is detectable and therefore blockable. Artificial intelligence can filter out quick-to-spread spam posts. As The Next Web notes, verification methods, such as requiring new users to enter a code sent over text messages, can cut down on the number of fake accounts a spammer can create.

This, likely, has pushed spammers to exploit built-in connectivity tools. Built-in connectivity tools are small programs allowing users to easily connect through an off-site server like iCloud. If you back your photos up to the cloud, sync calendar invitations through the internet or use a similar service, you use built-in connectivity tools. By abusing these tools, spammers leveraged a new method of reaching victims.

In this case, according to MacWorld, abusers exploited an email-related feature on iCloud, allowing the spam invitations to be set as recurring events that would repeatedly surface. Users would unwittingly exacerbate this problem by rejecting invitations, alerting spammers that eyes were on their messages and could, potentially, be tricked into accepting a phony invitation.

As of now, Apple is actively working on a fix for this exploit. Of course, it is not the only organization that will need to do so — built-in connectivity tools are becoming increasingly common and susceptible to exploits. So what should you do if you encounter one of these messages? How can you block these messages while still accepting legitimate invitations?

The solutions can be a bit involved. You can find guides from Gizmodo here, Ars Technica here and 9-to-5 Mac here. But the elements to blocking calendar spam is simply this:

  • Do not interact with the notice. Accepting, rejecting or actively considering a spam invitation is an invitation for more spam. If you see one of these messages in your calendar, do not interact with it in any way.
  • Log into iCloud, and turn off in-app notifications. Go to icloud.com and log into your Apple ID account on a desktop or laptop computer. Find the calendar web application, and click on the “Settings” gear icon located in the lower left corner of the screen. Click on “Preferences” and then the “Advanced” icon at the top of the pop-up screen. Under the “Invitations” section, select “Email to” and save. Congratulations, you’ll have blocked this attack method.

To block the bad invitations, but keep receiving the legitimate, do this:

  • Create a fake calendar in the Calendar application. Open your Calendar application on any device and create a new calendar (you can do this by going to the “Edit” tab or tapping on the “Edit” button on your device). Create a new calendar and label it as “spam filter,” or something similar.
  • Open Spam invitations. Go to the spam invitations in your Calendar application and change the invitation’s “category.” You can do this by either tapping on the invitation and looking for the “Calendar” tab underneath the invite, or for the color-coded category button located next the invitation’s title. Select the calendar you just created.
  • Delete “Spam” Calendar. Now for the best part: go to “Edit” and click or press on “Delete.” You should, in theory, be free of spam invitations, as this method doesn’t let the spammer know if you’ve accepted or declined the invitation. If you do receive more spam invites, simply repeat the steps above or turn off your iCloud Calendar invitation entirely.

And that’s that. This likely isn’t going to be the end of this spamming method. As always, there are a few tips you should keep in mind:

  • Never accept invitations or offers from strangers online. For one, accepting them encourages them to send you more. For another, they can link to malicious websites built to load your computer or device with malicious software. Either ignore them or delete them.
  • Great deals are often too good to be true. Special deals just for you often are not. In fact, they could very likely be hoax in disguise. Remember the old adage: if it’s too good to be true, it probably is.
  • Always have some form of security on your devices. As a matter of insurance and protection, it pays to have a comprehensive security solution, like McAfee LiveSafe™ on all of your devices. Comprehensive security solutions can help block malicious websites, monitor your devices for malware and generally keep you safe online.
Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Internet Security

Back to top