Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oxford Temporarily Blocks Google Docs To Fight Phishing

Posted by timothy on from the you've-been-cloud dept.

netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."

9 of 128 comments (clear)

  1. Report Abuse by RedACE7500 · · Score: 5, Informative

    As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.

    1. Re:Report Abuse by bruce_the_loon · · Score: 5, Informative

      You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.

      Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of docs.google.com. If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.

      Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.

      --
      Trying to become famous by taking photos. Visit my homepage please.
  2. It's a Google problem by SSpade · · Score: 4, Insightful

    Google docs is massively abused for phishing, and there doesn't seem to be much action by Google to prevent that.

    If Google paid more attention to preventing or mitigating abuse using their network, or even paid active attention to reports of abuse, people wouldn't have to resort to blocking them.

  3. Here's the list of Google-hosted phishing sites. by Animats · · Score: 5, Interesting

    One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

    Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

    Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.

    Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

    Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

    When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

  4. Re:How is it used for phishing? by bruce_the_loon · · Score: 4, Informative

    My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. http://www.gfi.com/blog/google-docs-phishing/

    It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.

    --
    Trying to become famous by taking photos. Visit my homepage please.
  5. Really? by Mullen · · Score: 4, Insightful

    I am really just shocked at how stupid people are to fill out a form on Google Docs with their passwords and username. I always recommend that people who fall for really obvious phishing attacks be fired but in this case, you can't fire students.

    --
    Linux O Muerte!
    1. Re:Really? by ravenswood1000 · · Score: 5, Funny

      Expel them for being too stupid to be in Oxford

  6. Re:that's a misrepresentation problem by hawguy · · Score: 4, Interesting

    Why is this at all google's fault? Why should they have to police google docs in such a fashion? Blame the people who suddenly decided phishing was a good idea.

    Because they are providing the tool that is so easily abused by phishers.

    It wasn't too long ago that open email relays were very common (and were quite useful), but now they are quickly blacklisted due to spammer abuse even though it's the spammer at fault, not the owner of the email relay.

    If I set up a booth outside your house giving away free universal keys that will open every lock in your house, you would probably have a problem with it even if the keys are perfectly legal to sell and have many legitimate uses. Even if it's only the criminals that will use the keys to break into your house, you probably wouldn't want me making it easier for them.

    You'd think that with all of the brain-power that Google has, they'd be able to come up with an automatic detection method for these scams that triggers an immediate manual review of suspected sites with a quick takedown - even though Google responds to abuse notifications within a few hours (as opposed to the few days it used to take them), a lot of personal information can be stolen in a few hours.

  7. or emeritus professors.... by fantomas · · Score: 4, Interesting

    Read the article. It's not stupid, it's being focussed somewhere else. As the article notes, a senior professor considered a world expert in Aztec culture or hunting Higgs Boson might not be an expert in IT, or focussing closely on IT forms when they are trying to crack a tricky problem in their field.

    I like it that you write off Oxford university academics and students as stupid. Mind you, to be fair I don't know where you got your education from ;-)