Oxford Temporarily Blocks Google Docs To Fight Phishing 128
netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."
Report Abuse (Score:5, Informative)
As an email system administrator for a Canadian university, we also see Google docs being increasingly used for phishing. We've also noticed Google's response to abuse reports has also improved considerably. If a few people submit an abuse report on a form, it will now usually get suspended in a matter of hours, where it used to take over a day. Unfortunately, those first few hours are the most critical when it comes to reacting to phishing.
Re:Report Abuse (Score:5, Informative)
You got it at the end. They set up a form on Google Docs, make it look vaguely professional and mail my users pretending to be me.
Most non-IT academics and just about all admin staff at my university seem to believe anything they have emailed. The phishers are relying on the IT administrators' reticence to block all of docs.google.com. If I see a specialized URL, I'll probably block the whole site, but killing all of Google Docs is a big decision. So they get a longer time of access than the specialized site would give them.
Yes, they are stupud, yes they don't listen. No, I have no idea what to do beyond a name and shame campaign that my bosses don't like.
Re:How is it used for phishing? (Score:5, Informative)
My university has been targetted too. They create a form on top of a spreadsheet, make it look legitimate because it can be customized and then email it around. http://www.gfi.com/blog/google-docs-phishing/ [gfi.com]
It gets past a lot of protection layers because Google Docs is trusted/whitelisted by most IPS filter lists.
Re:How is it used for phishing? (Score:4, Informative)
These kind of tricks don't have anything to do with people not understanding technology - it has everyting to do with the scammers understanding psychology. There are lots of ways to raise to the trust people have in you (which are not rational at all) that seem to get exploited, either by knowledge or by experience, by scammers and fraudsters worldwide.
One example would be the amounts 419 scammers ask to 'free your money'. Usually this is some weird amount like 423,50 instead of 500. Well, this is because a weird amount surprises us, and makes us more likely to believe the rest of the message!
What is happening here might be related to the 'authority by proxy' mechanism (don't take my word on it, I am not a psychologist in any way, I just like to read the science section in the newspaper). This is where people find it more likely for something to be true when you quote somebody else as the source. I.e. if I say "Cucumbers are bad for your teeth" you are less likely to believe that then when I say "Doctors say cucumbers are bad for your teeth". But if I can lie about the cucumbers, I might as wll lie about the doctors - there is no rational difference.
staff using it to avoid IT politics as well (Score:4, Informative)
I work on collaborative academic research projects. Rightly or wrongly some of these use free tools like Google docs for information sharing.across organisations and countries. It might not just be undergrad students but also paid employees not able to access important shared documents.
I'd prefer it we used some better shared work environment but by crickey have you ever tried as a non computing specialist academic to persuade your central IT department that they should use the workspace environment that some other university's IT department wants to use instead of the local preference? Geek fight supreme. None of the IT departments in the different organisations want to back down and use somebody else's preferred option, and if your PhD isn't in Computing they sure aren't going to take your advice... so often academics say "sod the IT departments, let's all just use this free software we all know how to use and bypass the IT departments who aren't interested in supporting collaborations...