. Skip to main content

(ˈpiːtə(r)), n, Dutch Computer geek, Father of 3 boys, Living together with @Chrizzzz. Working as a security consultant at @Atos, CISSP certified, Opinions are my own.

srcr.nl

twitter.com/srcr

reddit.com/u/srcr/

paypal.me/srcr

keybase.io/srcr

t.me/srcr

Interesting attack vector I wasn't aware of. Abusing iPhone calendar subscriptions for fake antivirus advertisement - https://srcr.nl/2020/iphone-calendar-abuse

iPhone calendar abuse

2 min read

I actually fell for this attack to use the iPhone calendar to create notifications to get me to click on the link. I wasn't aware of this vector before via the iPhone calendar. I know this is done via gmail's calendar.

browsing a littel around I visited a site and got redirected to a web page and it gave me a pop-up to  update my calendar, I was still lying in bed that morning so was not careful with touching the screen so ticked on allow 😒.

I don't use the iPhone internal calendar so was not to worried, and checked it briefly but didn't see anything right away so just parked it in my head as something to look into at a later stage.

fast forward two days and in the evening I get the following pop-up: 

And I remember me allowing the site adding stuff to my calendar. So I decide to check this a little and try to clean-up the mess that was stil pending. So looking at my calendar I see that evening 4 reminders and as you can see in below screenshot 10 additional reminders.

I just updated my iPhone to iOS 13.6 so all known exploits where fixed and I assumed that for this they would probably not going to waste a zeroday on this 😄.

so clicking the link to ofference.club I get the kinda normal scare screen and press Close link

       

And I get the pretty decently created recreated page to install a VPN-app, not sure how that is going to help me with the virus but who cares 🤷

If you click 'verwijder alle virussen' or wait the 2 minutes you get redirected to install the following app. And I assume here the money is created if the app gets installed with there affiliate code they make some money. Interesing detail though is that Savestock is not a VPN are antivirus app.

 

Recovering from this wasn't that big of a deal although I needed to google to find how to remove a calendar subscription. 

"Tap Settings > Accounts & Passwords > Subscribed Calendars" there you find the calendars you are subscribed to. In this case the "CLICK SUBSCRIBE..."

And then delete the account

Just watched this thorough and detailed video about the various features of . I'm looking forward to this so I signed up. If you also are interested in the game my referral link: https://ashesofcreation.com/r/TPGEMES35L5CC22D or the one in the video. - https://youtu.be/1s82xJnx1EY

"Each individual should feel proud and be authentic regardless of there sexual orientation or gender identity. Let's value the contribution of each individual and take pride in working for a company with diversity as a core value." /credit: @MHPietersen

For anyone using @countercept's Snake malware storeage zoo, I've build a interface scale to connect to @abuse_ch's MalwareBazaar - https://github.com/srcr/malwarebazaar-scale

@abuse_ch I'm having a little fight with the bazaar API, I submit file, get {'query_status': 'inserted'} but samples never show up in your browsable list.