A new Apple iCloud Calendar scam is using the company’s official servers to send fake PayPal transaction warnings, bypassing spam filters to trick users into revealing sensitive personal and financial data.
How the Sophisticated Scam Works
Attackers are abusing Apple’s iCloud Calendar invite system to send phishing content directly to users. The fraudulent message, typically a fake PayPal transaction warning, is placed within the “Notes” section of the calendar event.
The invite originates from Apple’s genuine domain, `[email protected]`, making it appear legitimate. Cybercriminals send the initial invite to a Microsoft 365 email address they control, which then forwards it to a large mailing list of targets.
Bypassing Security with Legitimate Services
This method allows the fraudulent messages to bypass most spam filters. A Microsoft 365 feature called the Sender Rewriting Scheme (SRS) helps the forwarded email pass Sender Policy Framework (SPF) security checks, enhancing its appearance of legitimacy.
This technique makes the `[email protected]` scam particularly effective.
The result is an official-looking notification that lands directly in a user’s inbox and calendar. This sophisticated Apple PayPal phishing scam leverages the trust users place in notifications from major tech companies.
The Scammers’ Ultimate Objective
The scam’s goal is to trick a user into calling a fake support number listed in the calendar event to dispute the fraudulent transaction. Once on the phone, scammers posing as support agents attempt to convince the victim to download remote access software.
The ultimate aim is to gain control of the victim’s device to steal banking information, install malware, or exfiltrate personal data.
How to Stop iCloud Calendar Spam and Stay Safe
To protect yourself, do not open or respond to unexpected calendar invites with alarming claims. You should verify any suspicious claims by logging directly into your official accounts, not by using links or numbers provided in a message.
Users should also use a password manager to create and store strong, unique passwords for each account. It is also wise to check if your email has been exposed in data breaches and change any compromised passwords immediately.
Finally, ensure all operating systems, browsers, and applications are regularly updated to patch security vulnerabilities. Installing and maintaining strong antivirus software on all devices provides another critical layer of defense.
