Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oxford Temporarily Blocks Google Docs To Fight Phishing

Posted by timothy on from the you've-been-cloud dept.

netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."

17 of 128 comments (clear)

  1. Report Abuse by RedACE7500 · · Score: 5, Informative

    As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.

    1. Re:Report Abuse by BlkRb0t · · Score: 3, Interesting

      How is Google Docs employed for phishing? Can anyone enlighten me here? I've used Google Docs at certain times and don't see how it can be used to tricking users to believe that it is the original site they're entering the data into. Or am I missing something here? Unless the users are really that dumb to enter their info.

    2. Re:Report Abuse by bruce_the_loon · · Score: 5, Informative

      You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.

      Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of docs.google.com. If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.

      Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.

      --
      Trying to become famous by taking photos. Visit my homepage please.
    3. Re:Report Abuse by Anonymous Coward · · Score: 3, Funny

      Perhaps instead of a Name and shame campaign; you can perform a campaign of inconvenience...

      When a user is found to be the victim of a phishing attack, put them on a daily password reset for a week or month.
      Forcing them to create new passwords daily will be annoying while not crippling to their productivity and may *help* them be more vigilant in the future.

    4. Re:Report Abuse by Archangel+Michael · · Score: 3, Insightful

      Or they will come up with a new password Scheme that is completely insecure.

      Old Password: password
      New Password: password19 (todays date)

      Tomorrow ....

      Old Password: password19
      New Password: password20

      that way, I can have 28-31 different passwords every month, without having to remember any one in particular.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    5. Re:Report Abuse by Brandon+Hume · · Score: 3, Interesting

      I'm the same for

      What I've done is written a script that generates random usernames and passwords and submits them to the form. The phishers then need to pick out the real stuff from the garbage I pumped in.

      I've had phishers delete a form before Google did, simply because I pissed them off too much. *Very* satisfying, let me tell you. :)

      Here's a phish I received just two hours ago: https://docs.google.com/forms/d/1RPht7SPAZywd3L13_lLMeB1pCAz6ufe6LX-S7YKtaR8/viewform
      Feel free to join in the fun and type some garbage! The spam that contained the link was even written to spoof the quarantine message from our own antispam appliances.

      --
      Brandon Hume
      hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
  2. It's a Google problem by SSpade · · Score: 4, Insightful

    Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.

    If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.

  3. How is it used for phishing? by Sedated2000 · · Score: 3, Interesting

    I, like others, would like to know exactly how Google Docs is used for phishing. I've used Google Docs off and on since it was made available. I can't think of a particular feature that would make it an enticing service to use for phishing.

    Can anyone offer an example or offer up an anecdote where they've encountered it?

    1. Re:How is it used for phishing? by bruce_the_loon · · Score: 4, Informative

      My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. http://www.gfi.com/blog/google-docs-phishing/

      It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.

      --
      Trying to become famous by taking photos. Visit my homepage please.
    2. Re:How is it used for phishing? by Incadenza · · Score: 3, Informative

      These kind of tricks don't have anything to do with people not understanding technology - it has everyting to do with the scammers understanding psychology. There are lots of ways to raise to the trust people have in you (which are not rational at all) that seem to get exploited, either by knowledge or by experience, by scammers and fraudsters worldwide.

      One example would be the amounts 419 scammers ask to 'free your money'. Usually this is some weird amount like 423,50 instead of 500. Well, this is because a weird amount surprises us, and makes us more likely to believe the rest of the message!

      What is happening here might be related to the 'authority by proxy' mechanism (don't take my word on it, I am not a psychologist in any way, I just like to read the science section in the newspaper). This is where people find it more likely for something to be true when you quote somebody else as the source. I.e. if I say "Cucumbers are bad for your teeth" you are less likely to believe that then when I say "Doctors say cucumbers are bad for your teeth". But if I can lie about the cucumbers, I might as wll lie about the doctors - there is no rational difference.

  4. Here's the list of Google-hosted phishing sites. by Animats · · Score: 5, Interesting

    One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

    Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

    Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.

    Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

    Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

    When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

  5. Really? by Mullen · · Score: 4, Insightful

    I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.

    --
    Linux O Muerte!
    1. Re:Really? by ravenswood1000 · · Score: 5, Funny

      Expel them for being too stupid to be in Oxford

  6. Re:that's a misrepresentation problem by hawguy · · Score: 4, Interesting

    Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

    Because they are providing the tool that is so easily abused by phishers.

    It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.

    If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.

    You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.

  7. or emeritus professors.... by fantomas · · Score: 4, Interesting

    Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.

    I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)

  8. staff using it to avoid IT politics as well by fantomas · · Score: 3, Informative

    I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.

    I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...

  9. Re:"The Tool" by hawguy · · Score: 3, Insightful

    You mean the university email system that delivers the malicious email?

    I have a crazy idea, tell users not to give personal information out by email. It's that simple.

    NEVER give out personal information by email.

    The university doesn't control all avenues of email delivery - some people use Yahoo, MSN, and other providers so even if they had a perfect phishing filter, some would still slip through other avenues.

    After you've worked in an IT help desk for a while, you'd learn that there is no way to get people to follow a simple "Don't do this because it's unsafe" policy (for one thing, the list of unsafe behaviors is longer than anyone can remember). Try telling your boss (or a tenured professor) "You're an idiot! We told you not to give out personal information on links clicked from an email", and he'll say "But look, this website has our university seal on it, and it said it was from the IT department so I thought it was safe".