BleepingComputer warns that cybercriminals are using calendar invites to send phishing links to Wells Fargo customers. Researchers at Abnormal Security discovered this phishing campaign in mid-June, and it’s targeted more than 15,000 people.
The attackers are sending emails purporting to come from Wells Fargo that inform the recipient that they need to update their security key or their account will be suspended. The emails contain .ics files (calendar invites) which, when opened, will add an event to the user’s calendar application. This event contains a link to a spoofed Wells Fargo page, where the user will be asked to enter their bank account information.
An ICS file is a media format used by most popular email clients and calendar applications (including Google’s, Microsoft’s, and Apple’s) to share calendar events with other users. Cybercriminals have realized that they can use these files to bypass email security filters and deliver phishing links directly to users’ calendars.
“The scammers also instruct the targets to open the calendar file with their mobile devices to take advantage of the fact that the event included in the .ics file would be automatically added to the victims' calendar,” BleepingComputer explains. “Subsequently, their calendar apps would deliver automatic notifications that the victims would likely click since they're delivered by a trusted app.”
Abnormal Security notes that the emails use the common tactic of conveying a sense of urgency to make the user act quickly and without pausing to think. Additionally, most users won’t be expecting to receive phishing attacks through their calendar.
“Financial institutions are always common targets for attackers,” the researchers write. “Access to a user’s sensitive information would allow an attacker to commit identity theft as well as steal any money associated with the account. Many of these companies have stringent regulations and security in order to protect users and their financial holdings. However, attackers are continually finding ways to compromise users’ accounts.”
New-school security awareness training can enable your employees to keep up with new phishing techniques.
BleepingComputer has the story: https://www.bleepingcomputer.com/news/security/wells-fargo-phishing-baits-customers-with-calendar-invites/