. Skip to main content

/ˈpeːtər/, n • Security consultant at Atos • Dutch computer geek • Living together with Christina and father of 3 boys • Opinions are my own • He/him

srcr.nl

twitter.com/srcr

reddit.com/u/srcr

paypal.me/srcr

keybase.io/srcr

t.me/srcr

As most mornings I listened to the @SANS_ISC StormCast and did some reading up on Flowspec, which is an interesting BGP feature. I really can recommended listening to it - https://isc.sans.edu/podcast.html

Interesting attack vector I wasn't aware of. Abusing iPhone calendar subscriptions for fake antivirus advertisement - https://srcr.nl/2020/iphone-calendar-abuse

iPhone calendar abuse

2 min read

I actually fell for this attack to use the iPhone calendar to create notifications to get me to click on the link. I wasn't aware of this vector before via the iPhone calendar. I know this is done via gmail's calendar.

browsing a littel around I visited a site and got redirected to a web page and it gave me a pop-up to  update my calendar, I was still lying in bed that morning so was not careful with touching the screen so ticked on allow 😒.

I don't use the iPhone internal calendar so was not to worried, and checked it briefly but didn't see anything right away so just parked it in my head as something to look into at a later stage.

fast forward two days and in the evening I get the following pop-up: 

And I remember me allowing the site adding stuff to my calendar. So I decide to check this a little and try to clean-up the mess that was stil pending. So looking at my calendar I see that evening 4 reminders and as you can see in below screenshot 10 additional reminders.

I just updated my iPhone to iOS 13.6 so all known exploits where fixed and I assumed that for this they would probably not going to waste a zeroday on this 😄.

so clicking the link to ofference.club I get the kinda normal scare screen and press Close link

       

And I get the pretty decently created recreated page to install a VPN-app, not sure how that is going to help me with the virus but who cares 🤷

If you click 'verwijder alle virussen' or wait the 2 minutes you get redirected to install the following app. And I assume here the money is created if the app gets installed with there affiliate code they make some money. Interesing detail though is that Savestock is not a VPN are antivirus app.

 

Recovering from this wasn't that big of a deal although I needed to google to find how to remove a calendar subscription. 

"Tap Settings > Accounts & Passwords > Subscribed Calendars" there you find the calendars you are subscribed to. In this case the "CLICK SUBSCRIBE..."

And then delete the account