Earlier this week it was being widely reported that Oxford University had taken the drastic step of completely blocking Google Docs, after it had seen a dramatic increase in the number of phishing attacks exploiting the service, targeting staff and students.
What wasn’t so widely reported was that the University’s block was short-lived.
As Robin Stevens of IT Services in Oxford University explained in a blog post – docs.google.com was only blocked for 2.5 hours:
"Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action. While this wouldn’t be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users’ attention and, we hoped, serve to moderate the "chain reaction".
"It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. This was taken into account along with changes to the threats and balance of risks over the course of the afternoon, and after around two and a half hours, the restrictions on access to Google Docs were removed."
Here’s a typical example of a Google Docs phishing scam.
Firstly, you receive an email calling upon you to take immediate action.
Many computer users may not realise that even though the link really does points to Google Docs that it can still be malicious.
And if you click on the link? Here’s what you are shown:
In the blink of an eye, confidential passwords could be in the hands of the cybercriminals who created the phishing page. And, sadly, as many people make the mistake of using the same password for multiple websites they could have the keys to more than just your email.
My guess is that not many people notice the small print at the bottom of the page, where Google points out that it isn’t responsible for the content of the page and provides a small “Report abuse” link.
I can sympathise with the Oxford University IT staff, who must feel frustrated that users keep being duped into clicking on links to phishing pages hosted on Google Docs, but this medicine must have been a bitter pill to swallow.
Reading the blog post, it is also clear that IT staff at Oxford University feel frustrated that Google doesn’t do more to proactively police against cybercriminals abusing Google Docs forms, and the lengthy time it can take between reporting an abusive webpage and Google taking it down.
The fact that Oxford University had to block (albeit briefly) access to a major web resource in order to get the attention of its computer users, and wake them up to the risk of phishing attacks, is a shame.. but hopefully it will result in fewer accounts being hijacked in future.
Oxford University image from Shutterstock.