Unwanted calendar invitations have invaded the calendars of iOS and Mac users for the past week. These messages seem to be targeted to everyone with an iCloud email account via invitations on the calendar. There have also been reports that users of the iCloud Photo Sharing library have received the spam.

The recent wave of spam has exploited a weakness in the automated process of applying Apple calendars. These automatically trigger the appointment and request confirmation of participation in the event, potentially threatening user safety. “Most users likely will understand neither the invitation nor who sent it, therefore will click decline to keep it off their calendar," said Tony Anscombe, Avast’s senior security evangelist. “Because the calendar system is polite, it notifies the sender of the decline, which confirms to the cybercriminal behind the spam that you took action, meaning your email account is valid and live.”

While this phenomenon isn't new, this latest attack takes it to an extreme. Faced with the rising power of the threat, Apple is taking this problem seriously by promising a solution. Unfortunately, they have no easy way to block unwanted invitations.

Most users likely will understand neither the invitation nor who sent it, therefore will click decline to keep it off their calendar.

Would these unwanted invitations simply pollute the calendars of iCloud and iOS users? Is that the only risk? What are the motivations of the hackers who are at the root of this initiative? “Once a cybercriminal has gained access to a large database of email addresses, understanding which are real and active allows them to target the victim with more specific attacks,” explained Anscombe. “If they have data including encrypted passwords it could validate which ones to attempt to decrypt, reducing the effort required.” 

This type of spam saves considerable time and effort for hackers, and at this time of year when online shopping it at its height, we wondered how this could benefit the savvy cybercriminal. Anscombe explained:

“It’s likely that some users may click on the link in the calendar invite, with the offer of bargain sunglasses or something similar. Because this week includes Cyber Monday, people may be tempted and not have heard about the spam attack in the media. Clicking the link will open a browser and the page opened may validate the email address is real by using a unique link for each user. Additionally, it could potentially deliver malware or attempt to get an identity and password from the user through a phishing attack. The request to log in with a social media account to see the bargains may trick some unwary victims.”

... users who receive this type of spam should secure their accounts with a new strong password.

How can Apple user protect themselves?

Anscombe's final words of advice: “We recommend that users who receive this type of spam secure their accounts with a new strong password. For Mac users, install an antivirus product such as Avast Free Mac Security which includes protection for phishing attacks while also detecting and stopping the link from being opened.”

Users can also disable the auto-add calendar feature from their iCloud account. Go to Notifications > Calendar in the Settings app.