Slashdot Mirror
Oxford Temporarily Blocks Google Docs To Fight Phishing
netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."
As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.
Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.
If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.
I, like others, would like to know exactly how Google Docs is used for phishing. I've used Google Docs off and on since it was made available. I can't think of a particular feature that would make it an enticing service to use for phishing.
Can anyone offer an example or offer up an anecdote where they've encountered it?
One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.
Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.
Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.
Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.
Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.
When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.
I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.
Linux O Muerte!
Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.
Because they are providing the tool that is so easily abused by phishers.
It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.
If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.
You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.
Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.
I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)
I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.
I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...
All the phishers are doing is using Docs in the way it is meant to be used. If Google sees a form to enter information for ABC corp's Mr John McNobody, there's no way for Google to know if this is legitimate or not, other than actually trying to find Mr John McNobody and ask if it was legit.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
You mean the university email system that delivers the malicious email?
I have a crazy idea, tell users not to give personal information out by email. It's that simple.
NEVER give out personal information by email.
The university doesn't control all avenues of email delivery - some people use Yahoo, MSN, and other providers so even if they had a perfect phishing filter, some would still slip through other avenues.
After you've worked in an IT help desk for a while, you'd learn that there is no way to get people to follow a simple "Don't do this because it's unsafe" policy (for one thing, the list of unsafe behaviors is longer than anyone can remember). Try telling your boss (or a tenured professor) "You're an idiot! We told you not to give out personal information on links clicked from an email", and he'll say "But look, this website has our university seal on it, and it said it was from the IT department so I thought it was safe".
In the olden days (and I am thinking as recently as the late 1990s) the universities would bake their own IT solutions. It was considered an academic challenge, and each campus had its own peculiar requirements, culture, etc. In those days, you had two tiers of IT - the local lab support, which was generally a grad student in the department who had undergone a short training course - if they even needed it - to help lusers figure out which part of the computer is the screen, which is the keyboard, and where the any key was. Sometimes these people, despite being English majors or what have you, would write good software that might be used in the university, or even across the world, while they sat there watching the herd of cattle called students and tenured professors prance across the keyboards. OK, I jest a bit, but not much.
Then, in the old days, you had the upper tier IT folks. These were people who essentially created and maintained the university's infrastructure. At the mid-sized midwestern university that I attended, the machine room contained a few IBM Power-based systems, running a redundant hardware / software stack, all of which connected to a dedicated user store. You could log into any of the servers and it would appear to be identical from the user's view. If one went down, the other could handle the load, and your full suite of Unix software was provided. It was beautiful. The entire infrastructure (minus the cabling running around campus, that was handled by union labor scrags) was maintained by about 4 people, and this was on a campus that included about thirty thousand students and faculty! Thousands of logged-in users at once, comfortably using a couple of computers that, if you added their processing capabilities together today, wouldn't be able to outdo an iPod Touch.
Many of the classic software packages that people use today were created by and for the academic campus. TeX, BSD, the easy to use (suitable for non-techie) Pico editor, and so forth, all combined to make a system that with minimal training, one could get started on, and with man pages, one could learn about on the fly. It was good for the university that created the software, in the firm of heightened prestige and perhaps lucrative government sheckel rainstorms, and it was good for the community because most of this software was then just given away, meaning that the academic community in general benefited. Smaller schools could use the software on smaller hardware, and wouldn't have to shoulder a massive IT cost beyond some dumb terminals, some Macintoshes, and a mid-sized "super-mini." The idea that sharing and helping the broader academic community was something to be proud of, and was useful to academia as a whole, was dominant.
Let's look at the situation now. IT services are managed by geniuses called "administrators" who probably couldn't code a "hello world" in BASIC, who hold MBAs, and who get all their IT information from Gartner or other such shill operations. The services they provide on-campus are shockingly similar to those one might have accessed over a 2400 baud modem in the early 1990s, except these services represent an enormous, ongoing cost. These campuses are entirely self-insufficient. Without access to external services, nothing would work, from payroll to class registration even down to the damn door locks in some cases! IT costs are an ever-increasing drain on the school's limited coffers, and the benefits are shrinking with the dollars spent. There is no incentive to create better software for the campus or academic IT in general, and thereby the whole academic world suffers. Just shoveling dollars into Google or MS Cloud or whatever hare-brained bullshit that the MIS types read is hot this week is destroying a lot of the in-built innovative potential of the university IT department.
My wife is in the math department at a major school in the Pacific Northwest. Her school (one of the biggest in the PNW!) has changed its entire campus management software stack 3 times in the 5 years that she has been there. Other universities have similar records. I would consider this to be a monumental failure and it should be a wake-up call for universities everywhere.
I can't speak for Oxford, but I know at my workplace, traditionally it's the students who fall for it the *least*. Their numbers even out, but that's only because there's a hell of a lot more students. In general, the kids coming in today are reasonably technically-savvy and sceptical.
In terms of percentages, the people you need to watch out for are the faculty. They're older, less experienced with modern technology, and frequently believe that a PhD in Aztec basket weaving means they've mastered life.
Brandon Hume
hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
It's even worse than this. Occasionally, our University's IT actually does send out emails that sound like a phishing attack. The only difference is that they link to a legitimate website. However, because of the general mess of different sign-ons (e.g. billing, payroll, course schedule, parking, etc...) it takes me a while to remember if this is a real service or a fake one.
I think, somewhat optimistically, that people can be trained to not send username/password over email. However, far too many things reinforce the "go to website linked in email, put in password" message for this to not work some percentage of the time. Maybe we need to normalize "exchange of information" type logins, where you won't input your password until the website provides a signal / response to a challenge?