A 16-year-old high school student in Concord, California has been charged with 14 felonies after he creating a phishing email targeted at his teachers, hijacking their details to log in to the Mount Diablo Unified School District computer system and changing the grades of a handful of classmates.
He may be in big trouble, but he truly deserves an A+ in computer science.
According to a report by KTVU, the drama began to unfold a little over two weeks ago, when Ygnacio Valley High School's IT department informed the police that numerous staff had received suspicious emails prompting them to click a link to what appeared to be the school’s employee portal login page. In reality, it was a near-exact replica of the website that recorded username and password details and sent them back to the student.
Though most were suspicious, one teacher did enter their account information, giving the student all he needed to access the grade system.
"We believe 10-15 students' grades were changed, but we're still investigating," Sargeant Carl Cruz of the Concord Police Financial Crimes department told KTVU.
In order to reveal the culprit, Concord police formed a task force with US Secret Service staff and Contra Costa County digital crimes experts. After using warrants to trace IP addresses, the team was able to track the origin of the phishing attack to the student’s home.
Once inside the student’s home, investigators used an efficient yet low-tech method for locating evidence. An electronics-sniffing dog named Dug apparently found an incriminating flash drive – or according to a conflicting report, an SD card – hidden in a box of tissues.
It is unclear what was on the drive, but according to Gizmodo, the sassy youngster admitted to the website breach when arrested by the task force last Wednesday. He also owned up to raising the grades of some peers and lowering those of several others.
Initially, the student's identity was unknown because officials cannot share the names of minors. But following his release into his parents’ custody on Thursday, David Rotaro sat down for an interview with ABC-7.
“It was like taking candy from a baby,” said the fresh-faced sophomore, who is currently awaiting a trial date. He added that creating the phishing email only took five minutes and he did not alter his own grades. "I did kinda want to give awareness to cyber security," he said.
It may be difficult to believe Rotato's motivations, but his assessment is correct. Duplicating websites to steal login information is incredibly easy, particularly for code-savvy individuals who have lived their entire existence in the digital age. And despite public awareness campaigns, employer training, and years of headlines describing the latest scams, many people still fall for phishing.
One reason this continues to occur is that hackers are creating ever-more sophisticated campaigns. The other reason? People are gullible.