New Spam Vectors for Apple Users: Calendar and Photos Invites

Update: Response from Apple
According to iMore, Apple is aware of the issue and has issued an official statement:

“We are sorry that some of our users are receiving spam calendar invitations. We are actively working to address this issue by identifying and blocking suspicious senders and spam in the invites being sent.”

I’m still hoping that they give us a method to mark and report these invitations as spam, but hopefully it won’t be as necessary, going forward.


Spam: it’s not just for email anymore! And we aren’t talking about canned meat from Austin, MN.

In our modern technological age, we are used to dealing with unwanted “spam” in our email inbox. Offers to sell you discount goods, re-grow your hair, get you to the top of the search engines, and increase the size of your… well, you get the idea. Most of it is pretty easy to spot. Spammers send millions of emails in the hopes of getting a tiny fraction of a percentage to click. Most email providers and client apps provide some kind of spam filtering, so that the majority never makes it to your in box. But the spammers get wise to the filtering, and are always looking for new ways to get their message in front of your eyes. Recently, they have been using SMS text messaging. Updates to iOS added the ability to block and report text spam.

We move, they move…
Just like a game of chess, the game keeps changing. And now Apple iCloud users have a new attack vector to guard against: invitations to Calendar events and Photos sharing. The ingenious part of these calendar invite spam attacks is that (depending on your settings… see below) you don’t ever see an email, so it doesn’t go through any spam filters at iCloud or your mail client, and there is no way to mark it or report it as spam.

iOS Calendar Spam Invitation

iOS Calendar Spam Invitation

I first became aware of the issue when my wife received a Calendar invite for a sale on popular brands of designer sunglasses. The invitation sender name is in Chinese (?), and it was sent to a list of other random iCloud.com addresses that she did not know. It is obviously spam. Her gut instinct was to “decline” the invitation, hoping it would go away. Unfortunately, that does not get rid of the unwanted invitation. It still shows up on your calendar as a declined event. There is no way to delete the unwanted event from your calendar, because you don’t “own” the event. Or is there?

Calendar Spam Declined

Declined event stays in your calendar.

I did some searching online and it turns out that a lot of people are seeing this kind of spam, as well as invites to share photos with similar spam advertising URLs. There are a couple of tricks to deal with calendar spam. This article on 9to5mac was helpful.

First, don’t accept or decline the invitation, as this just lets the sender know that they have reached a real account, and that a real person has viewed it. It may result in more spam. But either way, this is how you can get rid of the event from your calendar. Create a new calendar (call it “Spam” or whatever you want), then move the event to that calendar. Finally, delete the temporary calendar and the event will go away as well.

The other thing you can do is log into iCloud.com (from a desktop browser), go to Calendar, then click the gear in the lower left and choose Preferences. On the Advanced tab, change the Invitations option to receive event invitations as emails instead of in-app notifications. This will send the invite to your email first, where it can be marked as spam. If you receive a lot of [legitimate] calendar invitations, this may be an inconvenience.

iCloud Calendar Advanced Prefs

The advanced section of the iCloud.com calendar preferences.

From my research, at this point, there is not much that can be done about spam that comes in as a shared Photos invite. If you know of a solution, feel free to share it in the comments. Hopefully Apple will address these new attack vectors in a security update to Photos, macOS, and iOS, and allow us to block and report offending spammers. The cat and mouse game continues.

“Each game of chess means there’s one less,
variation left to be played.”
– Tim Rice, Chess

 


Also published on Medium.

Shawn

Shawn – Senior System Engineer

Shawn is a highly skilled developer with many years of FileMaker and IT experience supporting Mac and Windows systems.

Comments

  1. Shawn – my wife just received the sunglasses spam invite today. In the process of getting rid of it now thanks to your write up!

  2. I accidentally DECLINE the invites and received two of them. What else can I do? I already logged in to my icloud and did your advice.

    • As far as I know, there is no way to undo a response to an event. My wife and I have both received a few others since that first one. I just keep adding a “spam” calendar, moving the spam event to it, and deleting the calendar… which deletes the event as well. No way to stop them from coming in, but at least we don’t have to look at them anymore.

  3. This would be great advice — if it worked. Unfortunately, one can’t move an invite from calendar to calendar unless you accept it first. You’ll get the message “Only organizers can make changes.” Accepting the invite first rather defeats the purpose…

    Not sure why the author didn’t test this before publishing this.

    • Mike,
      Actually the author (me) did test it, and it does work for me. In fact, I just did it again today. The 9to5mac article referenced gives the same advice. Not sure why it isn’t working for you. I see you have a gmail address… is that your iCloud account as well? I wonder if there is some extra complexity because of the 2 platforms? I would check and make sure that you are making and moving to a new iCloud calendar, rather than a gmail calendar.
      Good luck!
      -Shawn

  4. Just got two of these spams today, and I have been looking for a way to stop it. Once Apple became a marketing company rather than a computer company, the user experience has declined for me. I feel like my phone has become more of a way to compile information about me, than it is a useful tool. The music player now can’t play a song without at least trying to access the network , and now spammers have a back door into my calendar and photo app. The convenience of having a connected device doesn’t seem worth it for the privacy invasions that occur.

    • Today’s connected devices are very complex with many features that make our lives easier. If you want to look at everything with a paranoid point of view, every little data transmission will seem fishy. The music player is probably doing something innocent like updating the played count for devices connected to your iCloud account. I’m just guessing.
      Spammers are annoying and will exploit something that is a convenience for most. I would expect a future update from Apple to address the calendar and photos concerns.
      I guess I don’t share your view that Apple is a “marketing company” – they have made their stance on data privacy and security very clear. Whenever possible, they don’t want your data. This is in stark contrast to certain other technology companies. ;^)

Speak Your Mind

*