Police in Concord, California arrested a teenager earlier this week and charged him 14 felony counts after discovering the high schooler launched a phishing campaign directed at teachers in order to steal their passwords and change grades.
The 16-year-old student, whose name was not released because he’s a minor, was arrested Wednesday following an investigation launched by local law enforcement, with assistance from a Contra Costa County task force and the US Secret Service, KTVU reported.
Reports of the hack first started to trickle into police two weeks ago, when teachers in the Mount Diablo Unified School District started receiving suspicious emails in their inbox. As it turns out, they were part of a phishing attempt launched by the student.
The email messages contained a link that sent the recipients to a fake website constructed by the student to look like the school’s portal. If a teacher clicked on the link, they were directed to the site that would prompt them to enter their username and password. The site would record any information entered, allowing the student to hijack the teacher’s account.
Police reported at least one teacher did enter their information, which allowed the student to access the Mount Diablo Unified School District IT network and, in turn, the school’s grading system.
Once in the system, the student went to work modifying grades. Police told KTVU he changed the grades of between 10 to 15 students including his own. In some cases, he raised the grades of his classmates. In others, he lowered them, which seems like a real dick move, frankly.
Once law enforcement caught wind of the scheme, they obtained search warrants for IP addresses associated with the site in the phishing email. After that, it was a matter of what Concord Police Financial Crimes Supervisor Sgt. Carl Cruz described as “good old-fashioned police detective work” to trace it to the student’s address.
Officers showed up at his home with a search warrant and the K-9 unit, and one of the police dogs—who is named Dug and is believed to be a good boy—was able to sniff out a flash drive stuffed in a tissue box. The police didn’t seem to clarify what exactly was on the flash drive, but presumably it was related to the hack. If not, hey, free flash drive.
After being caught by the police, the student admitted to the crime and took a little victory lap, telling ABC7 News “It was like stealing candy from a baby.” He has since been suspended from his school, Ygnacio Valley High School, for the hack. Police released him to his parents while he waits for a court date to be set.
The young hacker joins a growing list of students who have sought to improve their grades without studying. Similar hacking schemes have been executed by students in Alabama, Louisiana, New Jersey, and New York, among others. A student at the University of Iowa changed grades more than 90 times and stole tests and exams after stealing passwords with a keylogger.
The trend says more about the cybersecurity preparedness of schools than anything. Most schools have notoriously outdated security practices, with one-third of K-12 schools failing to educate their faculty members on setting up secure passwords, according to a survey conducted by Education Week. Maybe instead of hitting the kids with felony charges, give them some extra credit to help patch up the school’s porous network.