IT NEWS

If you use text based authentication as an additional level of security for your Twitter account, you may be aware that this option will be reserved for paying Twitter Blue subscribers come mid-March. This post will explain how to enable app based authentication. We found it easier to do on our desktop, with the authenticator code on our phone.

Enabling app based 2 factor authentication

1. While logged in, navigate to Settings and Support > Settings and Privacy > Security and account access > Security > Two-factor authentication.

2. Click Authentication app and then enter your password. Click the Get started button.

2. You’ll now see a QR code on the Link the app to your Twitter account page. Open your authenticator app and click the Scan a QR code option. Point your phone at the screen and the code will be scanned automatically. If it isn’t, your app may require you to do this step manually. Click Next.

3. If the previous step worked, you’ll see a 6 digit code being generated for Twitter in your authenticator app. Enter the code in the popup box on Twitter in order to link your account. If the code changes before you can enter it, don’t worry. Just enter the fresh code. Make a note of the recovery code, which can be used to sign in if you lose your device or access to your authentication methods.

That’s it! Your Twitter account is now more secure than it was.

A word of caution: you can still be phished despite using app based codes, as many phishing sites now ask for this information too. Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you use text based authentication as an additional level of security for your Twitter account, you may be aware that this option will be reserved for paying Twitter Blue subscribers come mid-March. This post explains how to enable hardware key authentication instead.

Enabling a hardware security key

1. While logged in, navigate to Settings and Support > Settings and Privacy > Security and account access > Security > Two-factor authentication.

2. Click Security key. You can then either insert the key into the USB port of your computer, or sync it over your computer’s Bluetooth or NFC. You should also name your key, which makes it easier for you to keep track of multiple security keys.

3. Click Get started. It’s worth noting here that many types of hardware keys work with mobile devices. You don’t necessarily need to insert keys into your phone, because they’ll authenticate via NFC or Bluetooth instead.

4. Insert the key into your device or sync with a phone via NFC or Bluetooth. Click Add key. Touch the key to add it to your account. 

5. You’ll be asked if you want to allow Twitter.com to start using a security key to sign in. The message may differ slightly from the below image.

6. Give the key a name and press Next. Save the backup code in case you lose access to your device or your authentication method.

Your Twitter account is now significantly more secure than it once was. The hardware key means phish attacks won’t work, as there’s no text or application code which can be stolen by phishing or SIM-swap attacks. This should be everything you need to keep your account safe.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

One important aspect of data theft in criminal markets revolves around the authenticity of the data that is being resold. There are different services that exist to vet such things as credit card numbers so that buyers can purchase with confidence.

Criminals are also very aware that anyone and in particular security researchers may want to interfere with their operations. Filling up phishing pages with junk data is a sport of its own, although it may also be counterproductive at times. Using special cards for tracing purposes can also be used by defenders to follow the money.

We recently spotted a Magecart skimmer that collects the current victim’s IP address and browser user-agent in addition to their email, address, phone number and credit card data. Because the victim already filled in their home address, we believe this is a fingerprinting effort much like what is done in traditional malware campaigns.

Skimmer targets various geolocations

The skimmer uses iframes that are loaded if the current page is the checkout and if the browser’s local storage does not include a font item (this is equivalent to using cookies to detect returning visitors).

Figure 1: Skimmer checking for address bar and inserting iframe

The final rendering is identical to official payment platforms and does not give anything away:

Figure 2: Fake payment forms injected by skimmer

Fingerprinting via Cloudflare API

The underlying code will scrape everything from the customer’s contact and payment forms. This is something that is often overlooked when talking about digital skimmers but yet is extremely important. While financial institutions can reissue you a new card in the mail, the information the criminals have collected is equivalent to a data breach and can be reused for other types of fraud later on.

Figure 3: Skimmer data collection and fingerprinting

One thing we noticed that was a little unusual, is code that queries the legitimate Cloudflare endpoint API and parses out the results specifically for two things: the user’s current IP address and browser’s user-agent. A user-agent string might look something like this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

From this you can determine the user is running Windows 10 (64 bit version) with Chrome version 110.

Figure 4: Stolen data including IP address and user-agent string

It’s worth noting that this is done after credit card data has already been collected and not before. It is quite common to check the user-agent string upon visiting a web page to determine whether a particular victim fits the target profile or to adapt the content to a mobile or desktop experience.

Since the skimmer already grabbed the shopper’s city, postal code and country it’s unlikely that the IP address would be of much use beyond that. We believe the threat actors are likely collecting IP addresses and user-agent strings for quality checks and monitoring invalid users such as bots and security researchers.

Conclusion

We observe a number credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce. Online merchants need to be aware of this threat and take appropriate measures to not only be compliant but also to make it much harder to be compromised in the first place. Since we mentioned Cloudflare in this post, it’s worth noting that the company provides a service to businesses called Page Shield, that helps keep visitors safe through malicious third-party libraries.

We continue to track and report skimming infrastructure in order to protect our users via our Malwarebytes for consumers and businesses, as well as our Browser Guard extension.

Indicators of Compromise

gtag-analytics[.]com

gtag-analytics[.]com/analytics/15798/script.js?key=
gtag-analytics[.]com/analytics/18452/script.js?key=
gtag-analytics[.]com/analytics/25198/script.js?key=
gtag-analytics[.]com/analytics/31826/script.js?key=
gtag-analytics[.]com/analytics/32444/script.js?key=
gtag-analytics[.]com/analytics/34515/script.js?key=
gtag-analytics[.]com/analytics/65526/script.js?key=

gogletags[.]click

Applied Materials, one of the world’s leading suppliers of equipment, services, and software for the manufacture of semiconductors, has warned that its second-quarter sales are likely to be hurt to the tune of $250 million due to a cybersecurity attack at one of its suppliers.

MKS Instruments Inc.

In the announcement of first quarter results and the second quarter forecast Applied Materials mentions a:

“negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers”

And although Applied Materials did not name the supplier, it’s thought that the victim is MKS Instrument Inc; a vendor that a week ago said a ransomware attack would force it to delay the release of its own quarterly results.

Ransomware

On February 16, 2023, MKS filed notice of a data breach after learning of the ransomware attack that resulted in sensitive employee information being made accessible to an unauthorized party. 

MKS said the attack has impacted the company’s ability to process orders, ship products, and provide service to customers in the company’s Vacuum Solutions and Photonics Solutions Divisions. The full scope of the costs and related impacts of this incident, including the extent to which the company’s cybersecurity insurance may offset some of these costs, has not been determined.

More details about the attack have not yet been released, but we will keep you informed when we learn more about it.

Supply chain effects

While we have talked at length about the risks of getting infected through your supply chain, this incident goes to show that even if none of your systems themselves get infected, an attack at one of your suppliers can have significant financial repercussions for your organization.

A supply chain attack is, essentially, another way for attackers to compromise their target company. Instead of them attacking their target directly, they go for the weakest link in that company’s supply chain: a vendor that may not have as secure a system as their main target.

Chip equipment industry

There is no good time for a ransomware attack, but this one comes with very bad timing. Of all the component shortages we’ve seen in recent years, by far the most severe has been for certain semiconductors, aka chips.

It has to be mentioned that the semiconductor manufacturing equipment industry is a special case. It is a very specialized and espionage sensitive industry where a few companies dominate the global market. In such a market, the stagnation at an important supplier, who can not be replaced on short notice, can have a huge impact on your own results. As demonstrated here.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Last week on Malwarebytes Labs:

• What is AI good at (and what the heck is it, actually), with Josh Saxe: Lock and Code S04E04
• Malwarebytes recognized as endpoint security leader by G2
• CISA issues alert with South Korean government about DPRK’s ransomware antics
• Jailbreaking ChatGPT and other large language models while we can
• French law to report cyberincidents within 3 days to become effective soon
• Consent to gather data is a “misguided” solution, study reveals
• Should you share passwords with your partner?
• Android 14 developer preview highlights multiple security improvements
• One in nine online stores are leaking your data, says study
• New ESXiArgs encryption routine outmaneuvers recovery methods
• TrickBot gang members sanctioned after pandemic ransomware attacks
• Update now! Apple patches vulnerabilities in MacOS and iOS
• Update now! February’s Patch Tuesday tackles three zero-days
• Four EU telco giants will start asking users if they want personalized targeted ads
• WordPress sites backdoored with ad fraud plugin
• Fake Hogwarts Legacy cracks lead to adware, scams
• Arris router vulnerability could lead to complete takeover
• Ransomware pushes City of Oakland into state of emergency
• TikTok car theft challenge: Hyundai, Kia fix flaw
• Mortal Kombat ransomware forms tag team with crypto-stealing malware
• Two Supreme Court cases could change the Internet as we know it
• iPhone calendar spam: What it is, and how to remove it

Stay safe!

A semi-active ransomware group has claimed it is behind a string of attacks which have taken advantage of a zero-day vulnerability in GoAywhere MFT.

The Russian-linked Clop ransomware group says it was able to remotely attack private systems using exposed GoAnywhere MFT administration consoles accessible on the public internet. BleepingComputer reports the group claimed they gained access and stole data from the GoAnywhere servers of at least 130 organizations.

One of Clop’s victims was Community Health Systems (CHS), a Fortune 500 healthcare services provider in the US. It recently filed a Form 8-K to the Securities and Exchange Commission (SEC), announcing the compromise of its system and disclosure of company data, including protected health information (PHI) and personal information (PI) of certain patients. CHS didn’t disclose the specific number of affected individuals.

Since the release of the emergency patch, Fortra has revealed that attackers also breached some of its MFTaaS instances during the attack.

The Cybersecurity & Infrastructure Security Agency (CISA) recently added CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog, a list of software flaws that federal organizations must patch within two weeks. It’s helpful for non-federal organizations to refer to as well, in order to help prioritize their patching.

Thankfully, an emergency patch (7.1.2) has been available since last week.

As well as the patch, GoAnywhere clients are also encouraged to:

• Rotate the master encryption key.
• Reset credentials.
• Review audit logs and delete suspicious admin or user accounts.
• Contact Fortra support by going to its portal, emailing technicians at goanywhere.support@helpsystems.com, or phoning them at 402-944-4242.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Car manufacturer Hyundai, and its subsidiary Kia, began rolling out a free software update on February 14, 2023, to address a flaw in their anti-theft software, which was highlighted in a social media challenge. The release of the update came nine months after an uptick in car theft of the affected models in the US. Outside the US, victims in Australia also came forward.

“The software updates the theft alarm software logic to extend the length of the alarm sound from 30 seconds to one minute and requires the key to be in the ignition switch to turn the vehicle on,” said the US National Highway Traffic Safety Administration (NHTSA). “The effort is in response to a TikTok social media challenge that has spread nationwide and has resulted in at least 14 reported crashes and eight fatalities.”

The “Kia Challenge” went viral on TikTok in August 2022. Thieves, known as “Kia Boys” or “Kia Boyz”, showed how to bypass Kia’s security system using simple tools like a screwdriver and a USB cable. It is said this method of thieving is so easy because many 2015-2019 Kias and Hyundais lack electronic immobilizers, which use electronic signals to deter thieves from hot-wiring cars.

The teens instructed viewers to forcefully remove the covering of the steering column (located just below the steering wheel) to expose a slot where a USB-A plug then comes into play.

From what we have gathered, the viral TikTok video was a snippet from a Tommy G YouTube documentary entitled Kia Boys Documentary (A Story of Teenage Car Theft). The scene in question was found in the last bit of the video.

Only cars that use keys seem susceptible to this kind of theft. Push-to-start cars, which are vehicles that you start by pushing a button, are immune.

“The software upgrade modifies certain vehicle control modules on Hyundai vehicles equipped with standard ‘turn-key-to-start’ ignition systems,” Hyundai said in a press release. “As a result, locking the doors with the key fob will set the factory alarm and activate an ‘ignition kill’ feature so the vehicles cannot be started when subjected to the popularized theft mode. Customers must use the key fob to unlock their vehicles to deactivate the ‘ignition kill’ feature.”

A total of 8.3 million cars are eligible for the free update. Owners of affected Hyundai and Kia models are encouraged to visit their local dealership to have the software upgrade installed. Updated vehicles also get a windshield decal indicating they’ve been equipped with anti-theft software.

Hyundai will also be releasing the patch in phases, the schedule of which you can view on their web page. For the February 14 release (part of Phase 1), owners of Hyundai 2017-2020 Elantra can receive the update. The model to receive the patch next is 2018-2022 Accent in June 2023 (part of Phase 2). The schedule for the remaining models is yet to be announced.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

An “unidentified actor” is making use of these two malicious files to cause combo-laden mayhem on desktops around the world, according to new research from Talos.

The tag-team campaign serves up ransomware known as Mortal Kombat, which borrows the name made famous by the video game, and Laplas Clipper malware, a clipboard stealer. Depending on the flow of infection, targets can expect to find a demand for payment to unlock encrypted files or sneaky malware looking to grab cryptocurrency details from system clipboard functions.

These attacks have been taking place since December 2022 and have no specific target, with small and large organisations affected, as well as individuals. The infection chain is kick-started by an email harbouring a malicious attachment.

The email is cryptocurrency themed, and claims that a payment of yours has “timed out” and will need resending. Given how long it can take some cryptocurrency payments to be processed, this is likely to raise the curiosity of recipients.

The email comes with a dubious zip attachment containing a BAT loader that begins the infection process when it’s executed. The BAT loader kicks off a chain of events that results in the download and execution of the ransomware or the clipper malware, from one of two URLs. (The analysis by Talos does not include how it decides which to deploy, so it could be targeting or just random chance.)

It’s like a choose your own adventure game gone horribly wrong.

Laplas Clipper

Laplas Clipper is a form of Trojan, and it takes a very smart approach to cryptocurrency theft. Regular clipboard-swiping malware waits for a user to copy a cryptocurrency address (which looks like a long password) and then switches it out for an address owned by the scammer. The end result is that the victim sends their payment to the attacker instead of the intended recipient.

Laplas switches out to wallet addresses which look similar to the correct, intended destination. Rather than carrying a stack of addresses with it, it phones home, contacting its Command and Control (C2) server via HTTP GET for a close match.

It’s also able to generate imitation addresses for a wide variety of cryptocurrencies including Monero, Bitcoin, Ethereum, Solana, and even Steam trading URLs. This is, of course, very bad news for people who do a lot of wallet address copying and pasting.

In this instance, it creates both persistence on the infected machine via the AppDataRoaming folder and a Windows scheduled task which means Clipper activates “every minute for 416 days”. This essentially grants non-stop monitoring of a system. It then acts as mentioned above, switching out genuine wallet addresses for bogus imitations.

Malwarebytes detects Laplas Clipper as Trojan.Clipper.

Mortal Kombat ransomware

Mortal Kombat Ransomware is based on Xorist Commodity ransomware. According to Talos, it has mainly been seen in the US, as well as the Philippines, the UK, and Turkey. This type of ransomware is created via a builder program. The builder allows for a reasonable amount of customisation, which includes warning messages, desired file extension, wallpaper addition, the file extension used on encrypted files, and so on.

Once installed on a system, Mortal Kombat targets a large selection of files for encryption, based on their file extensions. It also drops a ransom note and changes the wallpaper for the PC. According to The Record, the wallpaper features the character Scorpion from…you guessed it…Mortal Kombat.

There is nothing subtle about this particular ransomware threat. Talos notes that files in the recycle bin are not spared from attack.

Applications and folders are removed from Windows startup, and indicators of infection are discreetly tidied up and removed. The ransom note reads as follows, pushing those impacted towards communication with the attackers via instant messaging:

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON’T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE.

Instructions are then provided to download the aforementioned chat program, add the attackers as a “friend”, and begin communication.

Malwarebytes detects Mortal Kombat ransomware as Malware.Ransom.Agent.Generic.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Supreme Court is about to reconsider Section 230, a law that’s been the foundation of the way we have used the Internet for decades.

The court will be handling a few cases that at first glance are about online platforms’ liability for hosting accounts from foreign terrorists. But at a deeper level these cases could determine whether or not algorithmic recommendations should receive the full legal protections of Section 230.

The implications of removing that protection could be huge. Section 230 has frequently been referred to as a key law, which has allowed the Internet to develop to what it is now. Whether we like it or not.

The are two cases waiting to be heard by the Supreme Court are Gonzalez v. Google and Twitter v. Taamneh. Both seek to draw big tech into the war on terror. The plaintiffs in both suits rely on a federal law that allows any USA national who is injured by an act of international terrorism to sue anyone who knowingly provided substantial assistance to whoever carried it out. The reasoning is that the platforms, Google and Twitter, provided assistance to terrorists by giving them the ability to recruit new members.

Section 230 is the provision that has, until now, protected those platforms from the negative consequences of user-generated content.

Section 230

Section 230 is a section of Title 47 of the United States Code that was enacted as part of the Communications Decency Act (CDA) of 1996, which is Title V of the Telecommunications Act of 1996, and generally provides immunity to websites from the negative effects of third-party content.

What’s in question is whether providers should be treated as publishers or, alternatively, as distributors of content created by its users.

Before the Internet, a liability line was drawn between publishers of content and distributors of content. A publisher would be expected to have awareness of the material they published and could be held liable for it, while a distributor would likely not be aware and as such would be immune.

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

Section 230 protections have never been limitless though, and require providers to remove material illegal on a federal level, such as in copyright infringement cases.

It all became a bit more complicated when online platforms—and social media in particular—started using algorithms that are designed to keep us occupied. These algorithms make sure that we are presented with content we have shown an interest in. The goal is to make us spend as much time on that platform as possible while the platform earns advertising dollars. While the content was not created by the platform, the algorith definitely does the bidding of the platform.

In the early days (cases that played out before the turn of the century) moderation was seen as an editorial action which shifted a platform from a distributor role into a publisher role, which didn’t exactly help to get some form of moderation started.

In modern times, now that moderation has become the norm on social platforms, the scale of content moderation decisions that need to be taken is immense. Reportedly, within a 30-minute timeframe, Facebook takes down over 615,000 pieces of content, YouTube removes more than 271,000 videos, channels and comments, and TikTok takes down nearly 19,000 videos.

Possible implications

Section 230, from an Internet perspective is an ancient law, written at a time when the Internet looked very different than it does today. Which brings us back to the algorithms that have people scrolling social media all day. One of the consequences of these algorithms noticing a preference for a particular subject is that they will serve you increasingly extreme content in that category.

Making platforms liable for the content provided by their users is likely to make everything a lot slower. Imagine what will happen if every frame of every video has to be analyzed and approved before it gets posted. We would soon see rogue social media platforms where you can’t sue anyone because the operators are hiding behind avatars on the Dark Web or in countries beyond the reach of US extradition treaties.

It could even have a chilling effect on freedom of speech, as social media platforms seek to avoid the risk of getting sued over the back and forth in a heated argument.

And what about the recent popularity surge we have seen in chatbots? Who will be seen as the publisher when ChatGPT and Bing Chat (or DAN and Sydney as their friends like to call them) uses online content to formulate a new answer without pointing out where they found the original content?

Let’s not forget sites that have an immense userbase, like Reddit, which largely depend on human volunteer moderators and a bit of automation to keep things civilized. Will those volunteers stick around when they can be blamed for million dollar lawsuits against the site?

Even easily overlooked services like Spotify could be facing lawsuits if their algorithm suggested a podcast that contains content considered harmful or controversial.

The Halting Problem

Stopping bad things from happening on platforms like Google and Twitter is an admirable ambition, but it is probably impossbile. Even if they were able to fully automate moderation, they would quickly run into the halting problem associated with decision problems.

A decision problem is a computational problem that can be posed as a yes–no question of the input values. So, is this content allowed or not? That sounds like a simple question, but is it? Turing proved no algorithm exists that always correctly decides whether, for a given arbitrary program and input, the program halts when run with that input. This is called the halting problem.

A direct derivative of the halting problem is that no algorithm will always make the correct decision in a decision problem as complicated as content moderation.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you open up your iPhone and see a variety of messages claiming that you’ve been hacked, your phone is not protected, that viruses have damaged your phone, or, my personal favourite, “Click to get rid of annoying ads”, fear not. It’s quite possible you’ve accidentally wandered into a common form of scam: Calendar spam.

Calendar spam is a way for scammers to insert nonsensical claims, offers, and warnings with potentially harmful links into your calendar, which triggers notifications on your device.

How you get it

The most common techniques for spreading calendar spam are bogus adverts, popups, and other forms of coding used on websites which may be of a questionable nature. They can be found on pornography sites, but also file sharing sites, unofficial streaming platforms, gaming sites, random blogs, pretty much anywhere at all.

Calendar applications like iCal make it easy to add public calendars, which are just URLs, and the scammers exploit that ease of use. The aim of the scammers’ game is to get unsuspecting users to accept a calendar subscription. Often, they will obscure the subscription with a distraction. For example, a user may be asked to confirm that they’re a human via CAPTCHA. The user clicks through, and before they realise it, they’ve also clicked “OK” to a follow-up message containing a calendar subscription.

Should you accept one of these subscriptions, the spam calendar and all related events will be added to your calendar app. The events in the calendar contain alerts, which generate notifications, which could leave your screen looking a little something like this. Should you venture into your calendar, a tangled mess of calendar entries awaits.

The links in the calendar entries lead to the usual range of spam, surveys, bogus apps, fake security tools, and more besides. They have nothing you want or need to be wasting your time on. With this in mind, what can you do about it?

How to remove it

This is such a problem point for Apple that a dedicated page exists for just this problem. There are two ways to remove calendar spam, and it’s dependent on which iOS version you use. From the help pages:

iOS 14.6 or later

• Open the Calendars app.
• Tap the unwanted Calendar event.
• Tap Unsubscribe from this Calendar at the bottom of the screen.
• To confirm, tap Unsubscribe.

Earlier versions of iOS

• Open the Calendar app.
• At the bottom of the screen, tap Calendars.
• Look for a calendar that you don’t recognize. Tap the More Info button next to that calendar, then scroll down and tap Delete Calendar.

If this doesn’t fix the issue, delete the calendar subscription in Settings:

• Open the Settings app.
• Tap Calendar > Accounts. Or if you use iOS 13, tap Passwords & Accounts > Accounts instead.
• Tap Subscribed Calendars.
• Look for a calendar that you don’t recognize. Tap it, then tap Delete Account.

Not just iPhone

Spammers will try and abuse all sorts of devices, apps, and systems in order to besiege you with calendar spam (or even calendar-style spam) notification alerts. In 2019, Google Calendar users were hit with a wave of spam notifications, and Calendly users were impacted by phishers abusing the service in 2022. In that same year, new safety features appeared for Google Docs users in order to give users a little more confidence that notifications were not bogus.

No matter the device or service, anything with notification ability could be a target. In many ways, phone calendar spam is a perfect fit for phones where everyday misclicks are very common. It only takes one spam calendar prompt hidden behind something else and a split second lapse in attention for the scammers to stake a claim on your phone.

The good news is that once you understand how the scam works, it’s very easy to remove the notifications and keep your phone free from endless spam notifications.

Keeping your calendars spam free

• Be careful where you click. Scammers have to fool you into subscribing to a calendar for this to work, so read before you click! If you do add a calendar prompt, don’t panic. Follow the removal instructions above.
• Use Malwarebytes for iOS. It can block rogue websites and adverts, the two primary causes of unwanted calendar prompts.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.