Student charged by FBI for hacking his grades more than 90 times

A+

In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God.

And when I say “Hand of God,” what I really mean is “keylogger.”

Think of it like the “Nimble Fingers of God.”

“Hand of God” (that makes sense) and “pineapple” (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme.

According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems.

Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months – between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves’ grades had been changed without her authorization. She reported it to campus IT security officials.

The FBI affidavit claims that Graves changed his grades more than 90 times during those 21 months. He also allegedly changed grades on numerous occasions for at least five of his classmates.

Grades were allegedly tweaked in a wide range of classes, including in business, engineering and chemistry.

The FBI said it spoke with one student who told them that Graves shared copies of about a dozen exams before students sat down to take them. According to the FBI, the student said that he/she accepted the stolen exam, given that everybody else was doing it and they didn’t want their grade to suffer in comparison:

He/she knew Graves was providing the copies to other students and did not want the grading curve to negatively impact his/her scores.

When investigators searched Graves’ off-campus apartment in Iowa City in January. They seized keyloggers, cellphones and thumb drives that allegedly contained copies of intercepted exams. The FBI says one of the phones contained a screenshot showing Graves being logged into a professor’s email account. It highlighted an attachment entitled “exam,” according to the FBI affidavit.

Some of the alleged discussions found in text messages on Graves’ phone:

  • Graves instructing a classmate to go to a microeconomics class to confirm that the teacher logged into her account and “that we acquired the info.”
  • Graves and an associate referring to a keylogger as a large tropical fruit. “Pineapple hunter is currently laying in wait in a classroom already,” Graves allegedly wrote.
  • A student identified as A.B. in court documents urged Graves to use the keylogger to steal an upcoming test, saying “I need 100 on final just to get B- at this point.” Graves’ reply: “Or we could use the time to study?”
  • A student identified as Z.B. asked Graves whether he had told a classmate “about the Hand of God on that test.” Graves’ reply: “No. The less people know the better.”

The university told the FBI that the cheating scheme cost the school $68,000 to investigate the breach and to beef up its IT security. Earlier this year, the university warned students that those involved could face expulsion or suspension. Investigators searched the homes and devices of at least two other students, but they haven’t been charged.

I don’t know how much of an altitude boost Graves gave his grades. Not that it matters. Criminal behavior is criminal behavior, whether you’re popping your A up to an A+ or dragging your Fs up to straight As – as did a former Purdue University student who was sentenced to 90 days in jail plus 100 hours of community service for his part in a keylogger scheme.

Is it child’s play to plug in a keylogger? Yes. Literally.

Eleven Southern California kids got kicked out of school for grade hacking with the devices back in 2014.

Keyloggers are cheap, they’re easy, and the targets – schools and universities – too often have paltry budgets for equipment, software and skilled administrators.

You would imagine that it would make sense to use multifactor authentication to protect at least the most grade-hacking-targeted areas of a school’s network – the grading and testing parts of the system. But somehow, even a technology powerhouse like Purdue has been preyed on by keylogger-bearing, ethics-bare students.

Readers, do you have insights into what’s keeping schools from securing themselves? Please do share them in the comments section below.