California High Schooler Changes Grades After Phishing Teachers, Gets 14 Felonies for His Efforts

Illustration for article titled California High Schooler Changes Grades After Phishing Teachers, Gets 14 Felonies for His Efforts
Photo: Getty

Police in Concord, California arrested a teenager earlier this week and charged him with 14 felony counts after discovering the high schooler launched a phishing campaign directed at teachers in order to steal their passwords and change grades.


The 16-year-old student, whose name was not released because he’s a minor, was arrested Wednesday following an investigation launched by local law enforcement, with assistance from a Contra Costa County task force and the US Secret Service, KTVU reported.

Reports of the hack first started to trickle into police two weeks ago, when teachers in the Mount Diablo Unified School District started receiving suspicious emails in their inbox. As it turns out, they were part of a phishing attempt launched by the student.

The email messages contained a link that sent the recipients to a fake website constructed by the student to look like the school’s portal. If a teacher clicked on the link, they were directed to the site that would prompt them to enter their username and password. The site would record any information entered, allowing the student to hijack the teacher’s account.

Police reported at least one teacher did enter their information, which allowed the student to access the Mount Diablo Unified School District IT network and, in turn, the school’s grading system.

Once in the system, the student went to work modifying grades. Police told KTVU he changed the grades of between 10 to 15 students including his own. In some cases, he raised the grades of his classmates. In others, he lowered them, which seems like a real dick move, frankly.

Once law enforcement caught wind of the scheme, they obtained search warrants for IP addresses associated with the site in the phishing email. After that, it was a matter of what Concord Police Financial Crimes Supervisor Sgt. Carl Cruz described as “good old-fashioned police detective work” to trace it to the student’s address.


Officers showed up at his home with a search warrant and the K-9 unit, and one of the police dogs—who is named Dug and is believed to be a good boy—was able to sniff out a flash drive stuffed in a tissue box. The police didn’t seem to clarify what exactly was on the flash drive, but presumably it was related to the hack. If not, hey, free flash drive.

After being caught by the police, the student admitted to the crime and took a little victory lap, telling ABC7 News “It was like stealing candy from a baby.” He has since been suspended from his school, Ygnacio Valley High School, for the hack. Police released him to his parents while he waits for a court date to be set.


The young hacker joins a growing list of students who have sought to improve their grades without studying. Similar hacking schemes have been executed by students in Alabama, Louisiana, New Jersey, and New York, among others. A student at the University of Iowa changed grades more than 90 times and stole tests and exams after stealing passwords with a keylogger.

The trend says more about the cybersecurity preparedness of schools than anything. Most schools have notoriously outdated security practices, with one-third of K-12 schools failing to educate their faculty members on setting up secure passwords, according to a survey conducted by Education Week. Maybe instead of hitting the kids with felony charges, give them some extra credit to help patch up the school’s porous network.



Nights and weekends editor, Gizmodo



It is totally unsurprising and yet still baffling to me that a teacher (or any adult, really) would fall for a phishing scam in 2018. I work at a university and we get phishing e-mails all the time, as do my friends who work at public school systems. Our software is pretty good at filtering it out, thank god, because let me tell you how many of the dum-dums I work with who would reply to every single phishing e-mail with their name, password, social security number and bank statement if asked. It is truly flummoxing how readily they believe an e-mail to be legit. We get these e-mails so frequently that my default on any e-mail is to be suspicious and verify it came from our institution. Usually it’s a pretty easy process of checking the sender’s e-mail. But you would not believe how many of my colleagues would look at an e-mail address like this——and think it was part of our system (I don’t work at OU, was just using it as an example)

We once had an internet security workshop that started with the instructor saying “Your internet security is only as good as your dumbest colleague.” And it’s totally true. Unfortunately, many of my terribly intelligent colleagues are idiots when it comes to technology. We switched to two-factor authentications on any network sign-in last year, and while it’s a mild annoyance to use every time you log in to the system, it would have prevented something like this. The kid may have gotten a password, but he couldn’t have gotten into the system without also having that particular person’s cell phone on him to complete the second level of authentication.