Calendar invite spam
I received some unusual calendar invite spam. In total in consisted of 4 messages :
- a calendar invite
- quickly followed by the cancellation of the invite
- a new calendar invite
- the cancellation of the last invite
Calendar invite spam isn’t that uncommon but compared to the total amount of spam the amount of calendar invite spam is still fairly low.
In this case I found the series of messages (invite – cancel – invite – cancel) unusual. Either the spammer made an error or they just wanted to make sure to get the needed attention from their intended recipients.
Characteristics of calendar invite spam
Some characteristics of the calendar spam invite
- From: “George Rowland” <rowlandgeorge @ yahoo.com>
- Subject: Invitation: ATTENTION, PLEASE TRY TO CONTACT Mr.Kevin green OR CALL HIM REGARDING YOUR $9,000?
- Sent via the Yahoo mail servers
- Invite to calendar.yahoo.com
- Request to submit information to offficefilesettlement @ gmail.com
- Both invites contained 40 recipients, the recipients between both invites were different
- No links or external resources included, the only link in the message was the one to the Yahoo servers for accepting or declining the invite
The message itself looked like this :
Efficiency of calendar spam
I still have to understand what would make this type of spam more efficient than “regular” spam.
From a spammer point of I would think that the success rate might be lower. On the other hand, trying different delivery methods is “good practice” and the amount of effort needed for sending these messages (assuming they use tooling) is relatively low.
- These calendar invites contain the list of other people invited, this list is visible if your scroll through the event (at least for me that’s common habit to check who else is attending an event)
- The chances that any of the other recipients are known to you are fairly low, this should make you have doubts about the legitimacy of the invite (granted, in this case the content of the invite itself was already enough to raise suspicion). Some “normal” spam messages also put all the recipients in the “To” but in a lot of cases you’re the only -visible- recipient
- This particular message required some interaction, no phishing link included