IT NEWS

Twitter is making some dramatic shake ups to its currently available security settings. From March 19, users of Twitter won’t be able to use SMS-based two-factor authentication (2FA) unless they have a subscription to the paid Twitter Blue service.

If you use text-based 2FA, the important thing here is not to worry.

You may be under the impression that Twitter is removing your 2FA ability altogether, but this isn’t the case. There are alternatives, and they’re quite a bit more robust than the SMS approach. In fact, they’re referenced by Twitter repeatedly in the documentation regarding the removal of the text service for free Twitter users.

If you’re not sure what they are, or how they work, fear not. We’re going to walk you through the alternatives.

Changing your security approach on a deadline

If you log into Twitter at the moment, you’ll eventually be treated to a popup message which says the following:

Only Twitter Blue subscribers can use the text message two factor authentication method. It’ll just take a few minutes to remove it. You can still use the authentication app and security key methods. To avoid losing access to Twitter, remove text message two-factor authentication by Mar 19, 2023.

This move is being blamed on fraudulent bot behaviour in relation to the Twitter platform. From the above linked Twitter blog post:

While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.

It’s not great that an additional security measure is being removed from users and placed behind a subscription. Some form of 2FA is better than nothing, and uptake for any type of 2FA is painfully low on major platforms. Even Twitter itself struggles, with just 2.6% of active accounts making use of at least one 2FA method. Out of those, 74.4% are using SMS 2FA so this removal plan could have a big impact on already tiny sign up numbers.

As Twitter is so mobile-centric and likely already has your mobile number, SMS 2FA is for many people a natural fit for the platform. It may well be that people stripped of their SMS 2FA may not bother to implement 2FA all over again with an app or hardware key. That would leave those accounts much less secure.

With this in mind, let’s take a look at what’s on the other two forms of 2FA that Twitter offers.

Twitter and 2FA: What can you use?

Authenticator apps

Apps are viewed as being more secure than text-based 2FA, but are still very convenient.

Authenticator apps work by continually generating a numerical code that you enter on the site after you’ve logged in with your username and password. If the code expires before you enter it, the app generates another one and you use that instead. The app will never run out of codes.

These codes are valid whether your phone is online or offline. Some authenticator apps will also send you a prompt to accept, to prove it is you who is logging in. If you travel a lot, this can be more convenient than relying on SMS because you may not have access to a network provider while overseas, or even some form of internet connection. With an app, it doesn’t make any difference.

Unlike text-based 2FA, authenticator apps are resistant to SIM-swap phone calls, because your codes are entirely disconnected from your carrier. Note that you can still be phished should you enter your app generated code on a phishing page.

Hardware security keys

These are dedicated USB sticks which can be tied to the websites you use, taking on the 2FA role in place of text messages, app codes, or even codes sent by email. Hardware security keys can’t be SIM swapped, and they won’t fall foul of phishing either. There’s nothing to phish. Unless the attacker can somehow physically obtain the device from your home, your wallet, your keychain, or anywhere else, they’re going to fail miserably with regard to compromising your security.

Hardware keys are very much the niche option, but if you want to reduce the risk of phishing as much as you possibly can, they’re definitely something to consider. There are models of hardware key which also work with services like password managers, so there’s a lot of options available depending on your specific security needs.

Making the change

Our next post on this subject will explain how to remove text based 2FA from your Twitter account if you have it enabled, and how to enable either app-based authentication or a hardware key instead. Some of the options and settings can be hard to find even for a pro, but we’ll cover each option in detail and you can pick the setting most relevant to your needs.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you use text based authentication as an additional level of security for your Twitter account, you may be aware that this option will be reserved for paying Twitter Blue subscribers come mid-March. This post will explain how to enable app based authentication. We found it easier to do on our desktop, with the authenticator code on our phone.

Enabling app based 2 factor authentication

1. While logged in, navigate to Settings and Support > Settings and Privacy > Security and account access > Security > Two-factor authentication.

2. Click Authentication app and then enter your password. Click the Get started button.

2. You’ll now see a QR code on the Link the app to your Twitter account page. Open your authenticator app and click the Scan a QR code option. Point your phone at the screen and the code will be scanned automatically. If it isn’t, your app may require you to do this step manually. Click Next.

3. If the previous step worked, you’ll see a 6 digit code being generated for Twitter in your authenticator app. Enter the code in the popup box on Twitter in order to link your account. If the code changes before you can enter it, don’t worry. Just enter the fresh code. Make a note of the recovery code, which can be used to sign in if you lose your device or access to your authentication methods.

That’s it! Your Twitter account is now more secure than it was.

A word of caution: you can still be phished despite using app based codes, as many phishing sites now ask for this information too. Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you use text based authentication as an additional level of security for your Twitter account, you may be aware that this option will be reserved for paying Twitter Blue subscribers come mid-March. This post explains how to enable hardware key authentication instead.

Enabling a hardware security key

1. While logged in, navigate to Settings and Support > Settings and Privacy > Security and account access > Security > Two-factor authentication.

2. Click Security key. You can then either insert the key into the USB port of your computer, or sync it over your computer’s Bluetooth or NFC. You should also name your key, which makes it easier for you to keep track of multiple security keys.

3. Click Get started. It’s worth noting here that many types of hardware keys work with mobile devices. You don’t necessarily need to insert keys into your phone, because they’ll authenticate via NFC or Bluetooth instead.

4. Insert the key into your device or sync with a phone via NFC or Bluetooth. Click Add key. Touch the key to add it to your account. 

5. You’ll be asked if you want to allow Twitter.com to start using a security key to sign in. The message may differ slightly from the below image.

6. Give the key a name and press Next. Save the backup code in case you lose access to your device or your authentication method.

Your Twitter account is now significantly more secure than it once was. The hardware key means phish attacks won’t work, as there’s no text or application code which can be stolen by phishing or SIM-swap attacks. This should be everything you need to keep your account safe.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Applied Materials, one of the world’s leading suppliers of equipment, services, and software for the manufacture of semiconductors, has warned that its second-quarter sales are likely to be hurt to the tune of $250 million due to a cybersecurity attack at one of its suppliers.

MKS Instruments Inc.

In the announcement of first quarter results and the second quarter forecast Applied Materials mentions a:

“negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers”

And although Applied Materials did not name the supplier, it’s thought that the victim is MKS Instrument Inc; a vendor that a week ago said a ransomware attack would force it to delay the release of its own quarterly results.

Ransomware

On February 16, 2023, MKS filed notice of a data breach after learning of the ransomware attack that resulted in sensitive employee information being made accessible to an unauthorized party. 

MKS said the attack has impacted the company’s ability to process orders, ship products, and provide service to customers in the company’s Vacuum Solutions and Photonics Solutions Divisions. The full scope of the costs and related impacts of this incident, including the extent to which the company’s cybersecurity insurance may offset some of these costs, has not been determined.

More details about the attack have not yet been released, but we will keep you informed when we learn more about it.

Supply chain effects

While we have talked at length about the risks of getting infected through your supply chain, this incident goes to show that even if none of your systems themselves get infected, an attack at one of your suppliers can have significant financial repercussions for your organization.

A supply chain attack is, essentially, another way for attackers to compromise their target company. Instead of them attacking their target directly, they go for the weakest link in that company’s supply chain: a vendor that may not have as secure a system as their main target.

Chip equipment industry

There is no good time for a ransomware attack, but this one comes with very bad timing. Of all the component shortages we’ve seen in recent years, by far the most severe has been for certain semiconductors, aka chips.

It has to be mentioned that the semiconductor manufacturing equipment industry is a special case. It is a very specialized and espionage sensitive industry where a few companies dominate the global market. In such a market, the stagnation at an important supplier, who can not be replaced on short notice, can have a huge impact on your own results. As demonstrated here.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

Last week on Malwarebytes Labs:

• What is AI good at (and what the heck is it, actually), with Josh Saxe: Lock and Code S04E04
• Malwarebytes recognized as endpoint security leader by G2
• CISA issues alert with South Korean government about DPRK’s ransomware antics
• Jailbreaking ChatGPT and other large language models while we can
• French law to report cyberincidents within 3 days to become effective soon
• Consent to gather data is a “misguided” solution, study reveals
• Should you share passwords with your partner?
• Android 14 developer preview highlights multiple security improvements
• One in nine online stores are leaking your data, says study
• New ESXiArgs encryption routine outmaneuvers recovery methods
• TrickBot gang members sanctioned after pandemic ransomware attacks
• Update now! Apple patches vulnerabilities in MacOS and iOS
• Update now! February’s Patch Tuesday tackles three zero-days
• Four EU telco giants will start asking users if they want personalized targeted ads
• WordPress sites backdoored with ad fraud plugin
• Fake Hogwarts Legacy cracks lead to adware, scams
• Arris router vulnerability could lead to complete takeover
• Ransomware pushes City of Oakland into state of emergency
• TikTok car theft challenge: Hyundai, Kia fix flaw
• Mortal Kombat ransomware forms tag team with crypto-stealing malware
• Two Supreme Court cases could change the Internet as we know it
• iPhone calendar spam: What it is, and how to remove it

Stay safe!

A semi-active ransomware group has claimed it is behind a string of attacks which have taken advantage of a zero-day vulnerability in GoAywhere MFT.

The Russian-linked Clop ransomware group says it was able to remotely attack private systems using exposed GoAnywhere MFT administration consoles accessible on the public internet. BleepingComputer reports the group claimed they gained access and stole data from the GoAnywhere servers of at least 130 organizations.

One of Clop’s victims was Community Health Systems (CHS), a Fortune 500 healthcare services provider in the US. It recently filed a Form 8-K to the Securities and Exchange Commission (SEC), announcing the compromise of its system and disclosure of company data, including protected health information (PHI) and personal information (PI) of certain patients. CHS didn’t disclose the specific number of affected individuals.

Since the release of the emergency patch, Fortra has revealed that attackers also breached some of its MFTaaS instances during the attack.

The Cybersecurity & Infrastructure Security Agency (CISA) recently added CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog, a list of software flaws that federal organizations must patch within two weeks. It’s helpful for non-federal organizations to refer to as well, in order to help prioritize their patching.

Thankfully, an emergency patch (7.1.2) has been available since last week.

As well as the patch, GoAnywhere clients are also encouraged to:

• Rotate the master encryption key.
• Reset credentials.
• Review audit logs and delete suspicious admin or user accounts.
• Contact Fortra support by going to its portal, emailing technicians at goanywhere.support@helpsystems.com, or phoning them at 402-944-4242.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Car manufacturer Hyundai, and its subsidiary Kia, began rolling out a free software update on February 14, 2023, to address a flaw in their anti-theft software, which was highlighted in a social media challenge. The release of the update came nine months after an uptick in car theft of the affected models in the US. Outside the US, victims in Australia also came forward.

“The software updates the theft alarm software logic to extend the length of the alarm sound from 30 seconds to one minute and requires the key to be in the ignition switch to turn the vehicle on,” said the US National Highway Traffic Safety Administration (NHTSA). “The effort is in response to a TikTok social media challenge that has spread nationwide and has resulted in at least 14 reported crashes and eight fatalities.”

The “Kia Challenge” went viral on TikTok in August 2022. Thieves, known as “Kia Boys” or “Kia Boyz”, showed how to bypass Kia’s security system using simple tools like a screwdriver and a USB cable. It is said this method of thieving is so easy because many 2015-2019 Kias and Hyundais lack electronic immobilizers, which use electronic signals to deter thieves from hot-wiring cars.

The teens instructed viewers to forcefully remove the covering of the steering column (located just below the steering wheel) to expose a slot where a USB-A plug then comes into play.

From what we have gathered, the viral TikTok video was a snippet from a Tommy G YouTube documentary entitled Kia Boys Documentary (A Story of Teenage Car Theft). The scene in question was found in the last bit of the video.

Only cars that use keys seem susceptible to this kind of theft. Push-to-start cars, which are vehicles that you start by pushing a button, are immune.

“The software upgrade modifies certain vehicle control modules on Hyundai vehicles equipped with standard ‘turn-key-to-start’ ignition systems,” Hyundai said in a press release. “As a result, locking the doors with the key fob will set the factory alarm and activate an ‘ignition kill’ feature so the vehicles cannot be started when subjected to the popularized theft mode. Customers must use the key fob to unlock their vehicles to deactivate the ‘ignition kill’ feature.”

A total of 8.3 million cars are eligible for the free update. Owners of affected Hyundai and Kia models are encouraged to visit their local dealership to have the software upgrade installed. Updated vehicles also get a windshield decal indicating they’ve been equipped with anti-theft software.

Hyundai will also be releasing the patch in phases, the schedule of which you can view on their web page. For the February 14 release (part of Phase 1), owners of Hyundai 2017-2020 Elantra can receive the update. The model to receive the patch next is 2018-2022 Accent in June 2023 (part of Phase 2). The schedule for the remaining models is yet to be announced.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

An “unidentified actor” is making use of these two malicious files to cause combo-laden mayhem on desktops around the world, according to new research from Talos.

The tag-team campaign serves up ransomware known as Mortal Kombat, which borrows the name made famous by the video game, and Laplas Clipper malware, a clipboard stealer. Depending on the flow of infection, targets can expect to find a demand for payment to unlock encrypted files or sneaky malware looking to grab cryptocurrency details from system clipboard functions.

These attacks have been taking place since December 2022 and have no specific target, with small and large organisations affected, as well as individuals. The infection chain is kick-started by an email harbouring a malicious attachment.

The email is cryptocurrency themed, and claims that a payment of yours has “timed out” and will need resending. Given how long it can take some cryptocurrency payments to be processed, this is likely to raise the curiosity of recipients.

The email comes with a dubious zip attachment containing a BAT loader that begins the infection process when it’s executed. The BAT loader kicks off a chain of events that results in the download and execution of the ransomware or the clipper malware, from one of two URLs. (The analysis by Talos does not include how it decides which to deploy, so it could be targeting or just random chance.)

It’s like a choose your own adventure game gone horribly wrong.

Laplas Clipper

Laplas Clipper is a form of Trojan, and it takes a very smart approach to cryptocurrency theft. Regular clipboard-swiping malware waits for a user to copy a cryptocurrency address (which looks like a long password) and then switches it out for an address owned by the scammer. The end result is that the victim sends their payment to the attacker instead of the intended recipient.

Laplas switches out to wallet addresses which look similar to the correct, intended destination. Rather than carrying a stack of addresses with it, it phones home, contacting its Command and Control (C2) server via HTTP GET for a close match.

It’s also able to generate imitation addresses for a wide variety of cryptocurrencies including Monero, Bitcoin, Ethereum, Solana, and even Steam trading URLs. This is, of course, very bad news for people who do a lot of wallet address copying and pasting.

In this instance, it creates both persistence on the infected machine via the AppDataRoaming folder and a Windows scheduled task which means Clipper activates “every minute for 416 days”. This essentially grants non-stop monitoring of a system. It then acts as mentioned above, switching out genuine wallet addresses for bogus imitations.

Malwarebytes detects Laplas Clipper as Trojan.Clipper.

Mortal Kombat ransomware

Mortal Kombat Ransomware is based on Xorist Commodity ransomware. According to Talos, it has mainly been seen in the US, as well as the Philippines, the UK, and Turkey. This type of ransomware is created via a builder program. The builder allows for a reasonable amount of customisation, which includes warning messages, desired file extension, wallpaper addition, the file extension used on encrypted files, and so on.

Once installed on a system, Mortal Kombat targets a large selection of files for encryption, based on their file extensions. It also drops a ransom note and changes the wallpaper for the PC. According to The Record, the wallpaper features the character Scorpion from…you guessed it…Mortal Kombat.

There is nothing subtle about this particular ransomware threat. Talos notes that files in the recycle bin are not spared from attack.

Applications and folders are removed from Windows startup, and indicators of infection are discreetly tidied up and removed. The ransom note reads as follows, pushing those impacted towards communication with the attackers via instant messaging:

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON’T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE.

Instructions are then provided to download the aforementioned chat program, add the attackers as a “friend”, and begin communication.

Malwarebytes detects Mortal Kombat ransomware as Malware.Ransom.Agent.Generic.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Supreme Court is about to reconsider Section 230, a law that’s been the foundation of the way we have used the Internet for decades.

The court will be handling a few cases that at first glance are about online platforms’ liability for hosting accounts from foreign terrorists. But at a deeper level these cases could determine whether or not algorithmic recommendations should receive the full legal protections of Section 230.

The implications of removing that protection could be huge. Section 230 has frequently been referred to as a key law, which has allowed the Internet to develop to what it is now. Whether we like it or not.

The are two cases waiting to be heard by the Supreme Court are Gonzalez v. Google and Twitter v. Taamneh. Both seek to draw big tech into the war on terror. The plaintiffs in both suits rely on a federal law that allows any USA national who is injured by an act of international terrorism to sue anyone who knowingly provided substantial assistance to whoever carried it out. The reasoning is that the platforms, Google and Twitter, provided assistance to terrorists by giving them the ability to recruit new members.

Section 230 is the provision that has, until now, protected those platforms from the negative consequences of user-generated content.

Section 230

Section 230 is a section of Title 47 of the United States Code that was enacted as part of the Communications Decency Act (CDA) of 1996, which is Title V of the Telecommunications Act of 1996, and generally provides immunity to websites from the negative effects of third-party content.

What’s in question is whether providers should be treated as publishers or, alternatively, as distributors of content created by its users.

Before the Internet, a liability line was drawn between publishers of content and distributors of content. A publisher would be expected to have awareness of the material they published and could be held liable for it, while a distributor would likely not be aware and as such would be immune.

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

Section 230 protections have never been limitless though, and require providers to remove material illegal on a federal level, such as in copyright infringement cases.

It all became a bit more complicated when online platforms—and social media in particular—started using algorithms that are designed to keep us occupied. These algorithms make sure that we are presented with content we have shown an interest in. The goal is to make us spend as much time on that platform as possible while the platform earns advertising dollars. While the content was not created by the platform, the algorith definitely does the bidding of the platform.

In the early days (cases that played out before the turn of the century) moderation was seen as an editorial action which shifted a platform from a distributor role into a publisher role, which didn’t exactly help to get some form of moderation started.

In modern times, now that moderation has become the norm on social platforms, the scale of content moderation decisions that need to be taken is immense. Reportedly, within a 30-minute timeframe, Facebook takes down over 615,000 pieces of content, YouTube removes more than 271,000 videos, channels and comments, and TikTok takes down nearly 19,000 videos.

Possible implications

Section 230, from an Internet perspective is an ancient law, written at a time when the Internet looked very different than it does today. Which brings us back to the algorithms that have people scrolling social media all day. One of the consequences of these algorithms noticing a preference for a particular subject is that they will serve you increasingly extreme content in that category.

Making platforms liable for the content provided by their users is likely to make everything a lot slower. Imagine what will happen if every frame of every video has to be analyzed and approved before it gets posted. We would soon see rogue social media platforms where you can’t sue anyone because the operators are hiding behind avatars on the Dark Web or in countries beyond the reach of US extradition treaties.

It could even have a chilling effect on freedom of speech, as social media platforms seek to avoid the risk of getting sued over the back and forth in a heated argument.

And what about the recent popularity surge we have seen in chatbots? Who will be seen as the publisher when ChatGPT and Bing Chat (or DAN and Sydney as their friends like to call them) uses online content to formulate a new answer without pointing out where they found the original content?

Let’s not forget sites that have an immense userbase, like Reddit, which largely depend on human volunteer moderators and a bit of automation to keep things civilized. Will those volunteers stick around when they can be blamed for million dollar lawsuits against the site?

Even easily overlooked services like Spotify could be facing lawsuits if their algorithm suggested a podcast that contains content considered harmful or controversial.

The Halting Problem

Stopping bad things from happening on platforms like Google and Twitter is an admirable ambition, but it is probably impossbile. Even if they were able to fully automate moderation, they would quickly run into the halting problem associated with decision problems.

A decision problem is a computational problem that can be posed as a yes–no question of the input values. So, is this content allowed or not? That sounds like a simple question, but is it? Turing proved no algorithm exists that always correctly decides whether, for a given arbitrary program and input, the program halts when run with that input. This is called the halting problem.

A direct derivative of the halting problem is that no algorithm will always make the correct decision in a decision problem as complicated as content moderation.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

If you open up your iPhone and see a variety of messages claiming that you’ve been hacked, your phone is not protected, that viruses have damaged your phone, or, my personal favourite, “Click to get rid of annoying ads”, fear not. It’s quite possible you’ve accidentally wandered into a common form of scam: Calendar spam.

Calendar spam is a way for scammers to insert nonsensical claims, offers, and warnings with potentially harmful links into your calendar, which triggers notifications on your device.

How you get it

The most common techniques for spreading calendar spam are bogus adverts, popups, and other forms of coding used on websites which may be of a questionable nature. They can be found on pornography sites, but also file sharing sites, unofficial streaming platforms, gaming sites, random blogs, pretty much anywhere at all.

Calendar applications like iCal make it easy to add public calendars, which are just URLs, and the scammers exploit that ease of use. The aim of the scammers’ game is to get unsuspecting users to accept a calendar subscription. Often, they will obscure the subscription with a distraction. For example, a user may be asked to confirm that they’re a human via CAPTCHA. The user clicks through, and before they realise it, they’ve also clicked “OK” to a follow-up message containing a calendar subscription.

Should you accept one of these subscriptions, the spam calendar and all related events will be added to your calendar app. The events in the calendar contain alerts, which generate notifications, which could leave your screen looking a little something like this. Should you venture into your calendar, a tangled mess of calendar entries awaits.

The links in the calendar entries lead to the usual range of spam, surveys, bogus apps, fake security tools, and more besides. They have nothing you want or need to be wasting your time on. With this in mind, what can you do about it?

How to remove it

This is such a problem point for Apple that a dedicated page exists for just this problem. There are two ways to remove calendar spam, and it’s dependent on which iOS version you use. From the help pages:

iOS 14.6 or later

• Open the Calendars app.
• Tap the unwanted Calendar event.
• Tap Unsubscribe from this Calendar at the bottom of the screen.
• To confirm, tap Unsubscribe.

Earlier versions of iOS

• Open the Calendar app.
• At the bottom of the screen, tap Calendars.
• Look for a calendar that you don’t recognize. Tap the More Info button next to that calendar, then scroll down and tap Delete Calendar.

If this doesn’t fix the issue, delete the calendar subscription in Settings:

• Open the Settings app.
• Tap Calendar > Accounts. Or if you use iOS 13, tap Passwords & Accounts > Accounts instead.
• Tap Subscribed Calendars.
• Look for a calendar that you don’t recognize. Tap it, then tap Delete Account.

Not just iPhone

Spammers will try and abuse all sorts of devices, apps, and systems in order to besiege you with calendar spam (or even calendar-style spam) notification alerts. In 2019, Google Calendar users were hit with a wave of spam notifications, and Calendly users were impacted by phishers abusing the service in 2022. In that same year, new safety features appeared for Google Docs users in order to give users a little more confidence that notifications were not bogus.

No matter the device or service, anything with notification ability could be a target. In many ways, phone calendar spam is a perfect fit for phones where everyday misclicks are very common. It only takes one spam calendar prompt hidden behind something else and a split second lapse in attention for the scammers to stake a claim on your phone.

The good news is that once you understand how the scam works, it’s very easy to remove the notifications and keep your phone free from endless spam notifications.

Keeping your calendars spam free

• Be careful where you click. Scammers have to fool you into subscribing to a calendar for this to work, so read before you click! If you do add a calendar prompt, don’t panic. Follow the removal instructions above.
• Use Malwarebytes for iOS. It can block rogue websites and adverts, the two primary causes of unwanted calendar prompts.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.