After targeting teachers with a phishing scam, a 16-year-old student at Ygnacio Valley High School was reportedly arrested by police in Concord, California, on 10 May. The young man hacked into the computer system of Mount Diablo Unified School District and changed not only his grades but those of other students as well.
KTVU reported that teachers began reporting suspicious emails in their inboxes two weeks ago, at which point the police called in the U.S. Secret Service and a Contra Costa County task force.
"We wrote numerous search warrants to get the IP addresses of the possible phishing site email. We got it and we did good old fashioned police detective work and we narrowed it down to an address," Sgt. Carl Cruz, the Concord Police financial crimes supervisor told KTUV.
Investigators traced the attack back to the student’s house, revealing that the messages were part of a phishing campaign. A malicious link within the messages directed the email recipients to a fake website.
Once on the fraudulent, student-created site, which mirrored the school’s portal, teachers were prompted to enter their user credentials. “The site would record any information entered, allowing the student to hijack the teacher’s account,” Gizmodo reported. According to Concord police, at least one teacher did enter their username and password, which gave the student access to the school’s grading system.
“This was a classic credential harvesting phishing scam – basic security awareness training could have prevented this attack. Maybe it was the teacher, but, whatever the reason, it’s no secret that the education sector has limited finances and cybersecurity is not a top priority,” said Bob Adams, cybersecurity expert, Mimecast.
Police believe the student changed the grades of 10–15 students, raising some, while lowering others. Because the student is a juvenile, his name remains withheld; however, he has been arrested on 14 felony counts.
In related news, another student in East Brewton, Alabama, who also hacked into the computer system at W.S. Neal High School to change grades, has yet to be identified. Seniors still don’t know who their valedictorian will be for their graduation ceremony scheduled for 22 May.
Escambia County superintendent of education John Knott wrote in an email today, "W. S. Neal High school administrators reported discrepancies where grades on report cards didn't match their transcripts. We reported our findings to the Alabama State Department of Education and law enforcement and began an investigation into the matter. We have also brought in additional resources that could aide in this investigation to determine the facts and resolve this matter.
"We are determined to make sure the records are correct, to ascertain how these changes happened, and hold all that may be involved accountable. We are working to complete this process in order to release to the top 10 students, including the valedictorian and salutatorian, by graduation."
High school hacking is nothing new, nor are phishing scams.
“Unfortunately, there isn’t one industry deemed ‘safe’ when it comes to targeted attacks. Hospitals, religious organizations, charities and even schools have all been, and will continue to be, targeted by any number of individuals for any number of reasons,” said Adams.
According to a 2017 survey on email security conducted by Glasswall Solutions, 75% of surveyed employees receive suspicious emails, and 62% admitted they do not usually check the legitimacy of email attachments that come from unknown sources.
“No matter what the size or type of organization, it only takes one employee and one click to open you up to risk,” said Greg Sim, CEO of Glasswall Solutions.