Abusing iCloud Calendar invites to send emails is a new method for attackers to bypass email spam filters and deliver callback phishing scams directly to inboxes. This technique leverages legitimate features of Apple’s iCloud service. The phishing emails, which appear to be payment receipts for a large sum, are sent from “noreply@email.apple.com” and successfully pass standard email security checks like SPF, DMARC, and DKIM. The scam works by creating an iCloud Calendar invite with the phishing message placed in the notes section, and then sending the invitation to a mailing list controlled by the scammer. This mailing list then forwards the invite to the actual targets, with the email appearing to come from Apple’s trusted servers.
The core of the scam is a classic callback phishing scheme, where the goal is to scare the recipient into calling a provided phone number. The email claims a significant amount has been charged to their PayPal account, and it offers a “support” number to “discuss” or “cancel” the payment. The sense of urgency and fear of a fraudulent charge is designed to make the target act without thinking. The phone number, however, connects the user directly to a scammer.
When a target calls the provided number, a scammer on the other end will attempt to further manipulate them. They often try to convince the victim that their account has been compromised and that they need to take immediate action to secure it. This action often involves the scammer asking the victim to download and run remote access software. By doing so, the victim unknowingly grants the scammer control over their computer.
Once the scammer has remote access, the consequences can be severe. In past similar scams, this access has been used for various malicious purposes, including stealing money directly from bank accounts, deploying malware to compromise the computer further, or exfiltrating sensitive personal data. The seemingly harmless act of calling a “support” number can escalate into a full-blown security and financial nightmare.
The effectiveness of this particular phishing campaign lies not in a new type of lure, but in the sophisticated delivery method. By abusing a legitimate feature and a trusted sender (Apple), the scammers add a layer of credibility to their emails, making it more likely for the messages to bypass spam filters and be opened by the recipient. This method highlights the need for users to be vigilant and cautious, even when an email appears to be from a well-known and reputable company. If an unexpected calendar invite or a strange message appears, it is always safer to treat it with extreme caution and verify the information through official channels rather than calling a number provided in the email.
Reference:
