.ics is the extension of the calendar file, when opening this file, it will integrate the calendars, calendar notes into the device. If Currently many Hackers take advantage of .ics to attack phishing. Recently while checking Google Calendar, I noticed that .ics files can be abused in a way that they have never been used before. This technique allows you to create meetings on Calendar with fake organizers and attendees.
Isc . file compatibility
I discovered that this technique will work on all the most popular email service providers (eg Google Workspace, O365), if opened on Android or iOS it will integrate into the phone’s Calendar. But it works better on Google targets due to the way Google displays .ics attachments. Therefore, the illustration below will only target Google.
Can understand the process of attacking with ics file like this, Hacker will trick you to open the ics file, and then scheduled content such as meetings, notes will be integrated into the Calendar on your device, When the date/month is scheduled it will show a notification and when you open the notification it will redirect to a malicious Web page or download malicious code to your computer.
Download the .ics template
The easiest way to download an .ics file is to create a Google Calendar invite from one Gmail account to another and then download the email attachment. invite.ics.
Sign in to the other email, click on the email invitation, and download the invite.ics file.
Now we have the .ics file to fake it.
Open the invite.ics file with a text editor. You should see each line in key: value format. Remove the line starting with the UID.
# Xóa dòng này UID:email@example.com
Now you can start spoofing contacts. The organizer can be tampered with by modifying the value
CN= as below.
For attendees, you can add as many as you want and modify the value again
CN= and that’s the email the user will see.
Force attendees to accept the invitation
All attendees have a PARTSTAT= key. Just set it to PARTSTAT=ACCEPTED, and it will appear as if attendees have accepted the invitation.
Add profile photo
The attendee’s mailto: address can be another email you own or a random email. The perk of using an email you own is that you can log into that account and upload the profile picture of the person you want to impersonate.
For example, if one of the attendees has CNfirstname.lastname@example.org and mailto:email@example.com. I can upload Johnathan’s photo to firstname.lastname@example.org and that’s what the user will see in the invitation.
Make sure the organizer’s mailto: address is a non-Google email (not Gmail or Google Workspace). For some reason if it is a Google email, the “Yes/Maybe/No” buttons are not included in the email. For this example, I will use a Hotmail account.
Calendar title and time
You can change the calendar title by modifying the Summary: key in the .ics file.
You can modify the time with DTSTART: and DTEND:.
I’ll summarize the steps in case you can’t figure it out. I’m assuming I’ve downloaded the invite.ics file.
Remove the line starting with the UID in the .ics file.
Fool the organizers and attendees by modifying the CN= and mailto: values. Make sure the organizer’s mailto: value is a non-Google email. Also make sure you set PARTSTAT = ACCEPTED for all attendees except the victim.
ORGANIZER;CNemail@example.com:mailto:firstname.lastname@example.org ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;CNemail@example.com;X-NUM-GUESTS=0:mailto:firstname.lastname@example.org ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP= TRUE;CNemail@example.com;X-NUM-GUESTS=0:mailto:firstname.lastname@example.org ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP= TRUE;CNemail@example.com;X-NUM-GUESTS=0:mailto:firstname.lastname@example.org
Modify the Calendar title to whatever name you want.
SUMMARY:Mandatory Company Townhall Meeting
Make sure you have set the time of the invite schedule correctly. The times shown below are 2021-11-02 12 noon – 1pm.
Compose an email to the victim and attach the .ics file. The email header format should be as follows:
Invitation: CALENDAR-TITLE-HERE @ Wed Nov 2, 2021 12pm - 1pm (EDT) (ORGANIZER@SPOOFED.com)
Step 6 – Options
Add the Google Meet link to the email body because Google splits the Google Meet link in the .ics file.
As expected, users see the fake names you have recorded.
And both fake users accepted the meeting.
By hovering over the names on Google Calendar, mailto:email will appear, so try to set it to an address that closely resembles the fake email.
Example: CNemail@example.com and mailto: firstname.lastname@example.org
Alternatively, you can also create meeting notes using Google Calendar here.