Dormitory Phishing

by Anonymous

I work as a student staff member in the dormitories of a large university, and one of my female coworkers was recently threatened by a resident.

She got a nasty Facebook message with gender, racial, and personal slurs along with some "watch your back" type stuff.

Housing (our employer) hung her out to dry: they weren't willing to do anything for her safety.  I decided to step in and offer my computer skills to help trace the culprit.  In the end, he wasn't found and she quit for her own safety, but I'm saving the tool for any future incidents.

The threat came in the form of a Facebook message from a newly created account.  Facebook doesn't divulge information about accounts, so I had to trick the culprit into giving himself away.  I decided to phish him out.

To begin, I installed the Tomcat server on my laptop, and set up a new folder called html to hold the JSP and servlet files.  My university has a central authentication service that all students use to log in to various network resources.  I copied the source code of the login page and made a duplicate on my server.  CAS has a "digital thumbprint" on the login page that, on close inspection, is missing on my version of the page, but the difference is not obvious to the casual user.

I wrote a Java servlet to take the login data and record it to a text file.  It also records the IP address of anybody who even accesses the page, just in case the culprit chickens out before logging in.  We could have tracked the computer with just the IP address, but with the login information we could do all sorts of malicious "administrative" tasks, like drop the user from all their classes or order them 100 transcripts.  Or turn them in.

The way that the dormitory network is set up is such that only somebody in the local physical area could access my server, since I can't access the network routers and set up port forwarding.  This meant that the culprit would have to be in his room to reach the fake login page, and that any authorities searching for the server (from their offices) couldn't find it.  Neat.

The general plan was to reply to the Facebook message with a link to the fake login page, and entice the culprit to click on it and hopefully "log in."  The Facebook message was the weak link in the plan.  I had heard about the problem three days later, and it took me another three days to develop the solution and test it.  By the time I could deploy the server, the Facebook account was deactivated, and we couldn't send him the message.

I'm saving the files for the next time something like this happens.  If Housing won't take care of us, then the least we can do is to look out for one another.  I've got your back.

Return to $2600 Index