Not long ago, a massive SPAM attack was initiated through calendar event invitations. Anyone with an iCloud account could receive an event on their calendar in order to buy some gadget.
Apple has already publicly apologized, and has claimed to be taking action against this attack.
The attackers basically had one or several lists with possible Apple accounts, and sent events to all those accounts and waited to see what happened.
If you accepted or rejected the event, they could know if the account was active, and if you bought something, that was taken.
That’s why Apple apologized publicly, and this is what they told to iMore:
“We are sorry that some users have received invitations to events with SPAM. We are working hard to solve the problem by identifying and blocking suspicious people and invitations that contain SPAM.”
The attack jumped before Black Friday, so it has long been known, but I preferred to wait to see the official reactions to see how events unfolded and reflect a little more about it.
As they say, they are working on it, which is fine. But I would like to go a little further and ask for a reasonable system of reporting.
I would like to see something similar in the Apple calendar, which also does not compromise the end user.
Why do I say this? Because if you have accepted or rejected an event, the attackers have been able to know that your account is active. The attackers have been able to make another list much more precise in which they know firsthand what accounts work and which do not.
This is a danger because, with this list they can interpret massive attacks if in the future a bug in the systems of Apple comes to light.
And I do not want to be an alarmist, but I do not want that because of that fact we give little importance to this problem. Our Apple account has personal and bank information, so what less than protecting it.
It does not really take much, a report by SPAM that hides to the emitter of the event if the user has reported that event. Something as simple as that would suffice.
Yes, it does not make sense to include SPAM reports in the calendar, but since the platform can be used for that purpose, it’s not such a bad idea.
What I have been able to observe these days is that the attack does not seem to go over, which is very good. Now I only worry about the information that the attackers have collected if they have been smart enough to catch it.
We will see tomorrow whether Apple gives a tool to the users or on the other hand treats it internally, as it has done now.