Last week, police in Concord, California, arrested a high school student police say successfully deployed a series of phishing emails targeting teachers at his school in an attempt to change the grades of numerous students. Those emails provided a link to a site that appeared to be similar to an authentic grade portal, allowing the suspect to capture legitimate login credentials.
Citing the fact that the arrestee is under 18, the police department in Concord (which is 23 miles northeast of Oakland) has not released his name.
Curiously, the CPD also said that its officers were able to find an SD card hidden “in a tissue box that a normal person might not have checked” thanks to a police dog named Dug.
It is not clear precisely what the teenaged suspect was charged with.
Deborah A. Cooksey, the associate general counsel for the Mount Diablo Unified School District, emailed Ars to say that an investigation “is underway… that affords due process for all involved.”
“While we cannot comment specifically about a student due to their privacy rights, we can share that we have begun the process of school discipline in relation to this incident,” she wrote, declining to respond to Ars’ specific questions. “We also continue to monitor our computer systems and are working proactively with staff to avoid breaches in the future.”
The Concord Police Department did not immediately respond to Ars’ request for comment. However, Sgt. Carl Cruz, a police spokesman, told Bay Area TV station KTVU that the suspect was a high school student and “he seems to be very intelligent.”
Cruz explained that, with the fake site, “he was able to access the Mount Diablo Unified School District IT network and therefore get into the grade system,” noting that “10-15 students’ grades were changed, but we’re still investigating.”
The suspect amazingly granted KGO, another local TV station, an interview. While KGO has reported the 16-year-old’s name, Ars is withholding it here.
“It was like stealing candy from a baby,” he said.
The young student said it only took five minutes to craft the phishing email. School administrators only learned of the operation two weeks ago when an IT staffer found the message in a spam folder.