Oxford Blocks Google Docs in Response to Phishing Scams

The University of Oxford temporarily blocked Google Docs on Monday in an attempt to make its students and professors more aware of an increase in phishing scams that use the Web service.

In a blog post, Robin Stevens, a communications programmer at Oxford, said university officials had decided to take “extreme action” after what they perceived to be Google’s inaction on the issue.

In the schemes, attackers, often pretending to be from Oxford, send out Google Doc forms that ask users to enter their personal e-mail passwords. Students and faculty members deceived by the form then freely type in that information, unwittingly lending their account to the attacker.

“Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing e-mails have been sent from an already-compromised university account to large numbers of other Oxford users,” said Mr. Stevens. “Seeing multiple such incidents the other afternoon tipped things over the edge.”

Mr. Stevens said that sometimes more than a million messages can be sent from a user’s e-mail account before anyone notices the attack.

Google released a statement saying that the company actively works to protect users from phishing attacks.

“Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes,” the statement said.

The university decided to block the site for two and half hours on Monday afternoon, a popular time for users to check their e-mail. The outage caused frustration among some professors and students. “It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services,” Mr. Stevens said.

One user, who was among a number of readers who shared their negative reactions in the blog’s comments, said he was disappointed by Oxford’s response to the issue.

“It seemed like a point score against Google rather than a serious attempt to improve security,” the reader said.

Mr. Stevens concluded the blog post with a critique of Google, saying the university “will be pressuring Google that they need to be far more responsive, if not proactive, regarding abuse of their services for criminal activities.”

Oxford officials did not respond to requests for comment.

Return to Top