Oxford University briefly blocks Google Docs in anti-phishing effort

Blamed 'persistent failures' by Google to stop abuse, but removed block after two hours

Faced with an epidemic of phishing attacks on its academic networks, Oxford University took drastic measures: It blocked Google Docs.

The tactic was short-lived, however.

"It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services," Robin Stevens, of Oxford's Computer Emergency Response Team (OxCERT) wrote in a university blog Monday.

After weighing the disruption caused by the blockage, the university removed it after about two and a half hours, he said.

"It certainly gets rid of that particular problem pretty effectively, but it is something of a sledgehammer to crack a nut," Graham Cluley, a senior technology consultant with cyber security software maker Sophos said via email.

[See also: Malware uses Google Docs as proxy to command and control server]

Stevens explained that Oxford's problem stemmed from phishers creating form pages using Google Docs. Links to the pages are embedded in spam mails. When a link is clicked, a target is taken to the page where email account information can be gleaned from them.

Phishers want that information so they can use the account to send out spam -- lots of spam.

"Universities tend to have well-connected email systems which are generally considered reputable by other email providers," Stevens explained. "In the absence of effective monitoring, it can be easy for over a million messages to be sent out before someone happened to notice."

Oxford has had problems with its email reputation being tarnished by spammers. For several days in October 2011, for example, Microsoft's Hotmail rejected all mail from the university because too much of its outbound email was being marked as spam by the webmail service.

Some of the blame for the recent wave of phishing attacks on Oxford can be dumped on Google's doorstep, Stevens argued. "Google's persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions," he wrote.

When OxCert is alerted to a university website being criminally abused, it aims to take it down within two working hours, if not quicker, he said. In the past, it has taken weeks to get Google to act, he said, though more recently those times have been reduced to one or two days.

"We have to ask why Google, with the far greater resources available to them, cannot respond better," he wrote. "Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services."

Google, in an email statement, said that it "actively works to protect our users from phishing attempts."

"Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes," the company said.

Google isn't alone as a target by phishers for shenanigans, according to Patrick Peterson founder and CEO of Agari, an email security provider. "This is an all too common occurrence," he said. "Anytime somebody has a free online service, criminals beat a path to that service."

"Google Docs is massively popular so it's one of their favorites," he said.

In the Oxford case, he continued, the university decided that since it couldn't stop the phishing, it could stop the credentials from being exfiltrated through Google Docs. "It's better than nothing, but it's a crappy way to run an Internet."

While Oxford is understandably upset with Google, its dissatisfaction may be misdirected. "Google has been

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)