FBI: Student wrestler grappled grades after choking passwords from PCs using a key logger

22-year-old bloke charged after Fed probe


A former chemistry student allegedly used keystroke-logging gadgets to steal tutors' passwords, changed classmates' grades and downloaded copies of exams ahead of time.

Amateur wrestler Trevor Graves, 22, who studied at the University of Iowa, in the US, was arrested and indicted this month on two hacking charges – each of which could land him up to ten years in the clink if found guilty.

In paperwork submitted to an Iowa district court, FBI agent Jeffrey Huber recounted that in December last year one of the university's teachers noticed that Graves' grades had mysteriously improved. The scores were stored in a system called Iowa Courses Online (ICON), and accessing it to edit student records would require passwords only given to teaching assistants and lecturers.

The teacher grew suspicious, and reported the unexplained grade change to the college's IT staff, who started digging. In January, they had gathered evidence showing students in four classes had had their scores bumped up, and that the login credentials of six teaching staff had obviously been purloined and exploited by some unknown miscreant. The techies called the cops, and issued an alert to staff and students warning them to be on the look out for hardware key-loggers attached to their computers. It was believed at least one such gadget had been surreptitiously attached to tutors' PCs, and secretly recorded typed-in ICON passwords for the campus hacker to later use.

Because Graves' grades had been altered, he immediately fell under suspicion. In December, FBI agents searched his house while he wasn't there, and said they found thumb drives, two hardware key-loggers, and four smartphones. One of the thumb drives had a photo of Graves logging into ICON using a professor's identity, and advanced copies of examination questions, the Feds claimed.

But Graves was not the only person to have their grades suddenly improved: other students had benefitted too. So the FBI concentrated on interviewing these other students, and quickly got results, we're told.

Image by Alexander_P http://www.shutterstock.com/gallery-493324p1.html

Password reset warrior arrested for popping 1050 student accounts


One student known only as AB was identified from text messages found on one of the phones. In these texts, AB and Graves apparently discussed "pineapple hunting," which the Feds claim was a codeword for the key-logger. One stated that "pineapple hunter is currently laying (sic) in wait in a classroom already."

There is, by the way, a wireless hacking tool called Pineapple, which can intercept connections over Wi-Fi. It is possible Graves hid a Pineapple device in a classroom to steal teachers' usernames and passwords submitted to ICON over the air. However, we note that ICON uses HTTPS for its web interface, making eavesdropping non-trivial but not impossible. In any case, the Feds describe it as a hardware key-logger, the kind you plug in between the keyboard and the PC, but it's possible a wireless Pineapple was used.

Further conversations between the two discussed changing grades, it is claimed, with Graves warning AB that the grades couldn’t be changed too significantly and that he'd still have to study. Others messaging Graves discussed wedging open classroom doors with pennies to gain access when no one else was around, and the possibility of obtaining exams ahead of time, according to the Feds.

AB was formally interviewed by the FBI in February and apparently admitted that Graves was using a key logger to steal a professor's login details and change their grades. AB said Graves had first discussed the matter back in spring 2015, and had adjusted with scores in five classes and had given him the questions for a forthcoming circuits exam, the FBI agent said.

The following month another student, AT, said they met Graves in a design-for-manufacturing class, and that he had indicated he knew what the questions on a forthcoming exam would be, we're told. The student AT also claimed to have received ten advanced copies of exams and to have helped Graves install the key logger on five occasions.

Based on these particular conversations, and those with other students, the FBI interviewed teaching staff. All were adamant that they had not boosted the grades – indeed many had no rights to do so. In addition some grades were changed from classroom computers they didn't use.

Graves was arrested last Tuesday in Denver, in his home state of Colorado, was released on bond, and was ordered to turn up for a full court appearance in Iowa this week. The university, meanwhile, told FBI investigators it had cost $67,500 to probe and clear up his alleged actions.

If found guilty, Graves – who joined the college's wrestling team in 2013 – is unlikely to face serious jail time. Past instances of grade hacking at other schools have generally resulted in a couple of months in the cooler followed by supervised release. Degrees are also usually rescinded, so a guilty party could be paying useless student debts for a long time. ®

Biting the hand that feeds IT © 1998–2017