The Washington PostDemocracy Dies in Darkness

Hackers tried to change grades at Virginia high school, police say

Hackers attempted to change grades at a Fairfax County high school, using a cunning attack that began with an email from a school panel charged with upholding honor and integrity, according to a search warrant.

Oakton High School in Vienna, Va., is just the latest in a string of secondary schools, colleges and universities nationwide to be targeted — often by meddling students — in attempts to turn F’s into A’s in virtual grade books.

It’s not yet clear who is behind this hack, which began around November when emails were sent from a known Oakton High School Honor Council account that featured a link that purported to take readers to news about the student organization, according to the search warrant filed in Fairfax County court.

Detectives wrote that the link actually caused a reader’s computer to download software, which surreptitiously records keystrokes and then sends them via email or other means to the hacker.

“Key logger” programs can record passwords, email log-ins, credit card numbers or other sensitive information and have become a popular technique for gaining access to school systems.

After the emails began circulating, there were multiple cases of grade changes being requested, as well as students’ passwords being changed and emails being sent through remote log-ins, according to the search warrant. The court document does not say whether the hackers were successful in changing any grades, and Fairfax County Public Schools officials declined to say.

“FCPS discovered the possible unauthorized access of student records and referred our findings to law enforcement,” schools spokesman John Torre wrote in an email. “Since this is an active investigation, we’re not providing any additional comment at this time.”

In another attack, someone used a virtual private network, which can shield a user’s identity, to remotely log into the county school system’s website to access a teacher’s account, according to the search warrant. The person then changed passwords for several students using a password recovery tool.

Information technology specialists were able to recover an IP address for the virtual private network, a detective wrote. The search warrant was filed so that county detectives could obtain details about the source of the IP address from an Internet service provider.

County police said that the investigation into the case continues and that no arrests have been made. Representatives of the honor council could not be reached for comment.

Hacks aimed at changing grades have exploded in recent years. Last month, a University of Georgia student was charged with 80 counts after he reportedly hacked into a professor’s computer to change his grades. A former University of Iowa wrestler was charged federally last year after authorities said he hacked into school computers to obtain advance copies of exams and alter his grades and those of other students.

Grade hacking has even spawned a cottage industry. Some hackers are offering their services to break into school computer systems to change grades. Tutorials on YouTube and other sites offer step-by-step guides to carry out do-it-yourself hacks.