Oxford University briefly blocks Google Docs in anti-phishing effort

Faced with an epidemic of phishing attacks on its academic networks, Oxford University took drastic measures: It blocked Google Docs.

The tactic was short-lived, however.

"It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services," Robin Stevens, of Oxford's Computer Emergency Response Team (OxCERT) wrote in a university blog Monday.

After weighing the disruption caused by the blockage, the university removed it after about two and a half hours, he said.

"It certainly gets rid of that particular problem pretty effectively, but it is something of a sledgehammer to crack a nut," Graham Cluley, a senior technology consultant with cyber security software maker Sophos said via email.

[See also: Malware uses Google Docs as proxy to command and control server]

Stevens explained that Oxford's problem stemmed from phishers creating form pages using Google Docs. Links to the pages are embedded in spam mails. When a link is clicked, a target is taken to the page where email account information can be gleaned from them.

Phishers want that information so they can use the account to send out spam -- lots of spam.

"Universities tend to have well-connected email systems which are generally considered reputable by other email providers," Stevens explained. "In the absence of effective monitoring, it can be easy for over a million messages to be sent out before someone happened to notice."

Oxford has had problems with its email reputation being tarnished by spammers. For several days in October 2011, for example, Microsoft's Hotmail rejected all mail from the university because too much of its outbound email was being marked as spam by the webmail service.

Some of the blame for the recent wave of phishing attacks on Oxford can be dumped on Google's doorstep, Stevens argued. "Google's persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions," he wrote.

When OxCert is alerted to a university website being criminally abused, it aims to take it down within two working hours, if not quicker, he said. In the past, it has taken weeks to get Google to act, he said, though more recently those times have been reduced to one or two days.

"We have to ask why Google, with the far greater resources available to them, cannot respond better," he wrote. "Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services."

Google, in an email statement, said that it "actively works to protect our users from phishing attempts."

"Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes," the company said.

Google isn't alone as a target by phishers for shenanigans, according to Patrick Peterson founder and CEO of Agari, an email security provider. "This is an all too common occurrence," he said. "Anytime somebody has a free online service, criminals beat a path to that service."

"Google Docs is massively popular so it's one of their favorites," he said.

In the Oxford case, he continued, the university decided that since it couldn't stop the phishing, it could stop the credentials from being exfiltrated through Google Docs. "It's better than nothing, but it's a crappy way to run an Internet."

While Oxford is understandably upset with Google, its dissatisfaction may be misdirected. "Google has been

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Google DocsapplicationsGoogleOxCERTsecuritysoftwareData Protection | Network Securitydata protectionsophosOxford University

More about Computer Emergency Response TeamGoogleHotmailMicrosoftSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place