Spammers are abusing the preferential treatment Google affords its own apps to score free passes through Gmail's spam filters, it was claimed this week.
The ad giant greases the wheels so that incoming messages involving Google Calendar and other Big-G appsvslide through the filters and appear in Gmail inboxes, to ensure stuff generated and shared via its applications aren't silenced by its own webmail product.
This situation, according to Kaspersky bods this week, is being exploited by scam artists to lob spam, phishing pages, and links to malicious malware-flinging websites at netizens, in some cases without triggering Gmail's defenses.
"The spammer’s main task is to bypass the spam filter and deliver email to your inbox," Kaspersky analyst Maria Vergelis helpfully reminded us. "As it happens, Google services often send email notifications to Gmail inboxes — and Google’s antispam module avoids flagging notifications from its own services as spam."
Because Google usually allows these kinds of notifications through, scammers have found they can schedule a load of events in Google Calendar, inviting Gmail users en masse, and, when the set time draws near, generate a wave of reminders that include spam, phishing links, and so on, at least some of which slips through Gmail's filters.
For example, the scammer could send a block of Gmail users a Calendar invite with the description being a link to a fake banking site. Rather than catch and filter out the e-nasty, Gmail would let the notification through and, when the person clicked the link, they would then go to the phony bank page. If the recipient has Calendar set to automatically accept invites, they would even get a pop-up notification of the spam message.
It is not only Calendar that is being gamed by scam artists. Vergelis noted that Google Photos is also a popular method for evading filters. In that case, the spam would either be placed within the image file or its description – for example the image could be a picture of a check and the description would be instructions on how to claim it, which would typically involve handing over personal information for nothing in return.
It's not you, it's Big G: Sneaky spammers slip strangers spoofed spam, swamp Gmail sent filesREAD MORE
Again, thanks to Google's overly slick sharing features, the recipient would get a notification in their Gmail inbox that they had a shared photo waiting for them, and the spam itself would be delivered without being troubled by a filter. Additionally, Kaspersky's team said Google Forms is being used to serve up fake surveys that harvest personal information, and Google Drive is being abused to host phishing pages, malware, and ad pages.
Even Google Analytics is being turned into a tool for criminals. Vergelis said her team reported seeing businesses targeted with visitor statistics PDF files containing the spammer's links or information. In short, pretty much any Google service that integrates with Gmail can and will be abused to get as much spam into your inbox as possible, and the same goes for other services like Facebook and Twitter that allow users to send each other event notifications.
"The main problem is that messages sent through a legal service are assigned its standard headers, so spam filters often view them as harmless," Vergelis explained. "And spam subjects vary widely, so interception requires a high threshold level in the spam filter, which can lead to excessive false positives. Spammers take advantage of this to exploit public services for their own purposes."
In response to Kaspersky's findings, a Google spokesperson provided the Russian antivirus biz the following statement, which was shared with El Reg:
"Google’s Terms of Service and product policies prohibit the spreading of malicious content on our services, and we work diligently to prevent and proactively address abuse.
"Combating spam is a never-ending battle, and while we've made great progress, sometimes spam gets through. We remain deeply committed to protecting all of our users from spam: we scan content on Photos for spam and provide users the ability to report spam in Calendar, Forms, Google Drive, and Google Photos, as well as block spammers from contacting them on Hangouts.
"In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters." ®