This strikes me as more of an awareness problem than anything else. If a calendar invite sent me to login to a banking site, I’d delete it immediately…:
Researchers have once again spotted crooks using calendar invitations to mount phishing attacks. The Cofense Phishing Defense Center found the attack in enterprise email environments protected by Proofpoint and Microsoft, it announced last week.
The phishing scam uses iCalendar, which is a media type that lets users store and exchange calendaring and scheduling information, including events and tasks. iCalendar files are usually delivered with an .ics extension. The company found the attackers using this file with the subject “Fault Detection from Message Center,” from a sender with the display name Walker. It came from a legitimate account belonging to a school district, indicating that the attackers were using a compromised email. That enabled them to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.
When the victim opens the .ics file, it proposes a calendar entry displaying the URL, along with a message saying that it is from a security center. The web page behind the URL is hosted on Microsoft’s SharePoint site, and displays another link to a phishing site hosted by Google that appears to show a Wells Fargo login page.
Victims gullible enough to cooperate must submit their login details, PIN and account numbers, along with their email credentials. Doing so hands the attackers the keys to the kingdom. The phishing site will then send them to the legitimate Wells Fargo website to quell any suspicion.