Phishing attacks have been a key part of some of the most high-profile hacks in recent years, but they’re also used in smaller, less diabolical schemes as well. KTVU reports that a student at Ygnacio Valley High School in California used a phishing scam to access the school district’s computer system and change a number of students’ grades. He was arrested last week on 14 felony counts.
The student, David Rotaro, created a fake website that looked identical to the school’s and then sent emails to teachers in an attempt to get them to sign into his fake site. At least one did, which allowed Rotaro to collect their login and password info. He then reportedly used that information to get into the Mount Diablo Unified School District IT network where he then changed other students’ grades — he even lowered some. Some reports note that he changed his own grades as well while others say he only tweaked those of his fellow students. “We believe 10 to 15 students’ grades were changed, but we’re still investigating,” Sgt. Carl Cruz told KTVU.
The police obtained search warrants for the IP addresses associated with the phishing emails. And those eventually led them to Rotaro’s home where an electronics-sniffing police dog found a flash drive hidden in a tissue box.
Rotaro has been suspended and is waiting for a court date. He has since apologized and told KPIX that he would like to work in IT in the future. As Gizmodo notes, this isn’t the first time a student has hacked their way into a school’s grading system, with similar schemes having gone down in states like Alabama, Louisiana, New Jersey, New York, Georgia, Kansas and Iowa. Rotaro claimed that highlighting cybersecurity issues was part of the reason he hacked into the school’s system