I sat down at my multi-screen iMac on Black Friday, just like I do every day. There was something odd on the screen: a notification informing me that the “Ray Ban Black Friday price is online today.”
This was… unexpected. I’m pretty familiar with the notifications I get on my Macs, and I’ve never gotten an ad before. I took a quick look at the Notifications panel in System Preferences and didn’t see anything that seemed like it would generate an ad.
Yes, Calendar was shown as a notification item, but I disregarded it because I never use Apple’s Calendar. I’m so invested in Google Calendar that I don’t think I ever opened the program prior to discovering this issue.
My first thought was that it was related to Safari, but Safari was closed. So rather than continue to fumble around in the dark, I turned to that source of all knowledge on the Internet. No, not Google. Social media. I posted a quick message on Twitter and Facebook, along with the above screenshot of the notification.
I got a lot of replies. It turns out I’m not alone in getting what I’ve come to know as notification spam. Apparently, it’s possible for spammers to email a calendar invite and something (I’m still not completely sure of the mechanism) then puts that invite into the MacOS calendar. According to some of my correspondents, the same thing happens with iOS. I don’t use the iOS calendar, either, so I didn’t see it in iOS.
One of our own ZDNet columnists confirms the iOS behavior: “I got the same thing on my iPod Touch and the only thing I use it for is listening to music and audiobooks. Weird.”
As I mentioned above, I’m not sure how that invite made it into my calendar. I don’t use iCloud and I don’t use Apple’s mail program, so unless there’s something going on in background (part of why I was hoping for an Apple reply), invites sent to my email inbox should never reach Apple’s calendar. I can sort of prove that because I have a whole lot of events in my main Google Calendar, none of which show up on the Apple Calendar page.
Here’s the item, set as a reminder, in my MacOS Calendar app.
As the following image shows, the calendar invite was sent as spam to a list of email addresses.
The domain shown in the link (rb-home) was registered just last month. Worse, in my conversations on Facebook, I was informed by one friend that he has a friend who ordered from that site, which resulted in the theft of his credit card. Obviously, it’s never a good idea to order from a random spammer, but that person’s experience goes to prove that this sort of notification spam is not just a nuisance, but also malicious.
During my discussions, social media correspondents told me that Apple’s Photos app is also subject to unprotected sharing invites, which also result in spam. As one person told me, turning off sharing isn’t an option, because members of the same family regularly share photos.
How to fix the problem (sort of)
It’s not clear that there’s a permanent fix for the problem, but the fine folks on Facebook and Twitter have sent me to a few articles that make some suggestions, at least for the calendar spam problem.
In a very helpful article, a site wonderfully named The Dangling Pointer describes how to turn off calendar invites in iCloud. 9to5Mac shows a method for disabling the calendar spam issue in the Calendar app itself, but goes on to say, “But for iCloud Photo Sharing spam, there’s not much you can do.”
Because I don’t use Apple Calendar at all, I went into the Notifications settings on both my Mac and my iPhone and turned off all the Calendar notifications. That won’t prevent the items from showing up in the calendar, but they won’t show up in my notification area.
By the way, don’t hit Decline for a notification. That will only confirm to the spammer that you’re out there.
Apple needs to fix this
Apple did not respond to a request for comment.
This could become a real problem for Apple users, who are completely unprotected from this sort of spam, and who may have also chosen the Apple platform because it is widely considered to be a more protected environment than Windows or Android.
In other words, users might figure they can safely click on anything because they’re on an Apple machine, and this loophole leaves them potentially unprotected.
I’m hoping Apple responds to this article and lets us know they’re working on a fix. In the meantime, be sure to be careful if and when you get a weird, unexpected notification.
Finally, contact Apple if you experience this problem. If enough people report it as an issue, it has a much greater chance of being resolved quickly.
Thanks to the Hive Mind
I want to send out a special thanks to all the kind folks on Twitter and Facebook who helped contribute to this article. I’ve left out their names because I don’t want to give spammers any confirmation that their practices worked with any specific individuals.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
Source: SANS ISC SecNewsFeed @ November 29, 2016 at 10:15AM