Once a subscription is established, a calendar server can deliver any amount of events in your schedule, some which may contain harmful content, turning a helpful tool into an unexpected attack vector. The lack of awareness surrounding calendars, creates a dangerous blind spot in both personal and corporate security ecosystems.

In this investigation we unveil a growing ecosystem, vast dedicated networks that deceive users at scale into subscriptions: from compromising websites, to redirecting victims and tricking them into subscriptions via fake captchas. This subscription “space”, which allows actors to create any amount of events in your calendars, is then either used by the actors themselves or sold to third-parties as-a-service. By pivoting, we sinkholed part of 2 networks conducting this operation, in return we received daily requests from Millions of iOS devices.

Here we uncover the tactics and techniques utilized by this dedicated infrastructure, but also the risks a subscribed user/organization might incur (phishing, malware, etc), culminating with the economic motivation behind the services currently selling this “space”.

Lastly we conclude with some exploratory work on possible correlations between proxy botnets/services that might be utilizing this illegitimate infrastructure to “acquire” new proxy nodes. The intent is to share this ecosystem with the community so further correlations can be explored. We terminate with some open discussion / early thoughts on challenges of mapping, and potential use of this new ecosystem to track active campaigns.