Earlier this week it was being widely reported that Oxford University had taken the drastic step of completely blocking Google Docs, after it had seen a dramatic increase in the number of phishing attacks exploiting the service, targeting staff and students.
What wasn’t so widely reported was that the University’s block was short-lived.
As Robin Stevens of IT Services in Oxford University explained in a blog post – docs.google.com was only blocked for 2.5 hours:
"Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action. While this wouldn’t be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users’ attention and, we hoped, serve to moderate the "chain reaction".
"It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. This was taken into account along with changes to the threats and balance of risks over the course of the afternoon, and after around two and a half hours, the restrictions on access to Google Docs were removed."
Here’s a typical example of a Google Docs phishing scam.
Firstly, you receive an email calling upon you to take immediate action.
Many computer users may not realise that even though the link really does points to Google Docs that it can still be malicious.
And if you click on the link? Here’s what you are shown:
In the blink of an eye, confidential passwords could be in the hands of the cybercriminals who created the phishing page. And, sadly, as many people make the mistake of using the same password for multiple websites they could have the keys to more than just your email.
My guess is that not many people notice the small print at the bottom of the page, where Google points out that it isn’t responsible for the content of the page and provides a small “Report abuse” link.
I can sympathise with the Oxford University IT staff, who must feel frustrated that users keep being duped into clicking on links to phishing pages hosted on Google Docs, but this medicine must have been a bitter pill to swallow.
Reading the blog post, it is also clear that IT staff at Oxford University feel frustrated that Google doesn’t do more to proactively police against cybercriminals abusing Google Docs forms, and the lengthy time it can take between reporting an abusive webpage and Google taking it down.
The fact that Oxford University had to block (albeit briefly) access to a major web resource in order to get the attention of its computer users, and wake them up to the risk of phishing attacks, is a shame.. but hopefully it will result in fewer accounts being hijacked in future.
Oxford University image from Shutterstock.
For five minutes I was speechless! I think it is quite a shock to hear about such a decision. It is supposed that the academic staff and students at such a famous university must have some basic knowledge in Internet and communications online. Internet fishing is primiarily dedicated to deceive stupid housemates and people with poor education level. Are the members of Oxford University academic want to be called "Internet Illiterates"?
(this applies also to @raymond's post)
It is a common misconception that common sense is the result of (or is necessary for) an academic career. Don't forget that a university has many divisions and "Internet" is not part of most curricula (the same is true for other aspects of human life like general education, social behaviour, "culture" or literacy outside one's special field). Being a university-IT insider since aeons I can assure you that a small but not insignificant percentage of the scholars is unteachable by normal means. The majority of them doesn't see a problem and refuses to take any advice on security. A smaller part listens but either fails to understand or forgets fast – their actions make a "stupid housemate" look like a genius. Or is there any excuse for replying (with your credentials) to a plain-text phishing mail which contains no reference to your institution which asks you in the name of some "Webmail Team" to *type in* your email address and credentials? Surprisingly (or maybe not) the success-rate of sophisticated spear-phishing attempts is not as high as you'd expect – therefore I think it's often carelessness when people fall for these scams.
Completely agree with the action that the IT Dept took. Access to Google Docs was only temporarily disabled at the cost of educating users as to the dangers of falling for this attack which sounds like it was getting out of control.
They could have mass-emailed all users but you can guarantee that most wouldn't have read the advice. Sometimes you have to take slightly more drastic measures for people to pay attention.
Also, ditto on what they said regarding Google doing more to help in this area.
“Internet fishing is primiarily dedicated to deceive stupid housemates and people with poor education level”
i don’t think that is fair.. there can be cases where one doesn’t expect a phishing webpage, or anything fishy, and so they assume that the webpage is OK.. i came very close to logging into a phishing webpage one time.. i was on a website and it looked like the website was asking me to login, in order to be able to access some content on the website.. i didn’t stop to think that it might be a phishing webpage, not until someone said “that’s a phishing webpage”, which it was..
We have tried to get google’s help due to one of these. It was like trying to help from GoDaddy on security issues.
We already block Google Docs, as we don't want to encourage staff to save sensitive material on resources not owned by our company. Here's yet another reason.
Very poor effort by Google to prevent this sort of phishing attacks especially when the forms are hosted on their servers and they are sending the email with spoofed addresses. Hopefully Google they have added some code in Docs so that they can catch the perpetrators and force them to use Yahoo!
I would have thought that to get to Oxford you have to be a bit brighter than average so why did so many fall for this fairly obvious scam. This seems to be my experience generally that often the people caught ny this sort of scam are often the so called brighter ones while ordinary working people seem to have a bit more common sense.