Oxford Uni blocks Google Docs, points finger at Google over phishing fail

Google might not be evil, but its inaction makes phishing evil easier, says university's tech team.
Written by Liam Tung, Contributing Writer
Oxford University suspended Google Docs for two and a half hours on Monday.

After being bombarded by phishing attacks, Oxford University decided to block Google Docs for 2.5 hours on Monday, and has said Google should share some the blame for the outage.

According to Robin Stevens from Oxford University's network security team, the university took the decision after seeing a wave of phishing attacks aimed at getting logins and passwords for university systems, including email accounts, to send out spam. In order to get access to the accounts, the phishers used forms in Google Docs to get unsuspecting users to give up their details.

While the university had been reporting the forms to Google when they saw them, students were still falling victim to the phishing attacks — leaving it no option but to block Docs outright.

"Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised university account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate university business by temporarily suspending access to Google Docs was outweighed by the risks to university business by not taking such action," Stevens wrote in a lengthy explanation on the OxCERT blog.

"It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services," he added.

"While this wouldn't be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users' attention and, we hoped, serve to moderate the 'chain reaction'" of compromised accounts being used to compromise further accounts.

Despite what appears to be have been a severe impact on the business, Stevens warned it cannot rule out future blocks, albeit with a higher threshold. Oxford University is also looking at other technical measures that have less impact on legitimate network usage and is reviewing its emergency communications procedures.

OxCERT also puts some of the blame for the disruption on Google's "persistent failures to put a halt to criminal abuse of their systems in a timely manner".

"Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services," Stevens wrote.  

"If OxCERT are alerted to criminal abuse of a university website, we would certainly aim to have it taken down within two working hours, if not substantially quicker. Even out of official hours there is a good chance of action being taken. We have to ask why Google, with the far greater resources available to them, cannot respond better," he added.

ZDNet has asked Google for comment on the matter, and will update the story if we receive any. 

Editorial standards