There is an epidemic of Apple Calendar spam (and some incidents of iCloud Photo Sharing spam) impacting iCloud users worldwide. Everybody is writing about it, and because so many people are affected I thought I should join in. This is what is happening and what you can do about it.
Ray-Bans, Ugg Boots and Pandora
The spam works like this: You will receive a spam calendar invitation that invites you to “Save 20% on UGGs” or gives you a chance to get Ray-Bans for $19.99. These messages appear to be widely circulated, I first became aware of them last week, but think they may have been around for a little longer.
If you are receiving these spam invitations you must not use the Maybe, Decline or Accept tools you have for Calendar invitations when you receive them.
If you use these then the spammer will be notified that you have done so, enabling them to figure out that you are a real email address.
Not only will you then receive further spam, but if they are comparing your details against other stacks of stolen data they may be able to develop new attack vector. This means you should not respond directly. Instead, while we wait for Apple to patch this problem you can follow two relatively simple steps to protect yourself.
Step One: Change a Setting
The spam works by exploiting a useful feature in macOS an iOS, which automatically scan your inbox for calendar invites, letting you know about them and prompting you to accept or decline them. This is useful as it means you are less likely to miss an invitation, but to prevent future attacks you should switch the feature off.
Here is what to do:
Go to iCloud.com online.
You need to access the full Web version, rather than mobile version so if you are using an iOS device simply press and hold the reload button in Safari’s address bar and choose ‘Request Desktop Site’ when you see the prompt.
- Now you are using the full version of iCloud you need to login with your info, and choose Calendars.
- In Calendars click the gear icon and select Preferences.
- You should choose Advanced and scroll down to Invitations.
- In Invitations, you should set the option to receive event invitations by email, rather than as in-app notifications. Click Save.
In future you will be able to delete invitations you don’t need from your Mail folder rather than endure pester messages you can’t delete from your Calendar.
Step Two: Get rid of the spam in Calendar
You can’t act on the invitation that is now in your Calendar because you don’t want to let the attacker know that you exist. Fortunately there is a way you can eradicate existing spam items from your Calendar without them knowing.
In Calendar you should create a new calendar, I called mine “Spam”.
To Create Calendar in iOS
- Open the Calendars app and tap the Calendars button at the bottom of the screen.
- Tap the Edit button.
- Now you should tap the Add Calendars option and name it.
To Create Calendar in macOS
- Open Calendars and choose File>New Calendar.
- Give your Calendar a name.
Now you have your new Spam calendar and being careful not to hit a response button just drag each incidence of spam into the new calendar. (It’s a little tedious as you need to do this for each invite you have received).
When you have moved all the entries to your new calendar you must delete the new Spam calendar.
To delete in iOS:
- Tap Calendars at the bottom of the Calendars screen
- Tap the lower case “i” icon beside your Spam calendar item, you’ll be taken to the ‘Edit Calendar’ screen.
- Scroll down this screen to find the Delete Calendar item, tap this to delete the Spam calendar (and all its contents) without letting the spammer know you exist.
- Make sure to select the 'Delete and Don't Notify' option in the Dialog box that appears.
How to delete on macOS:
- Control-click on the new Spam Calendar name in Calendar and choose ‘Delete’.
Once you have taken these steps you will no longer suffer these annoying spam invitations. You have also now deleted all those you have previously received without letting the spammer know your email address is genuine.
iCloud Photo spam
Unfortunately, the only solution I’ve found to the junk photo-sharing problem is to turn off iCloud Photo Sharing. That’s a real shame as I use it.
The feature that has been exploited in this attack is not new, it’s almost as old as the Calendar application. The fact that it has taken spammers years to identify this vector reflects the relative security of Apple’s platforms, but it also underlines the need not to be complacent about security on any platform.
I expect Apple will respond by improving its own iCloud spam filters to identify such problems and with a software patch to help secure the system. This may include a tool to privately decline such invitations without spammers knowing you are an active user, or some way users can mark unwanted invitations as spam.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?
Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.