A Swiss hacking group has reportedly claimed credit for using a hijacked email domain to bombard schools around the U.S. with fake threats of violence. And in related news, security awareness training provider KnowBe4 issued a warning on Thursday about a credentials phishing campaign that also preys on school shooting fears by impersonating a campus security alert.
According to multiple news outlets, a group called the Apophis Squad sent disturbing hoax emails to school district superintendents in at least 46 states last Sunday and Monday, triggering an increased police presence and in some cases class cancellations. The emails featured the subject line "Student help!" and purported to be authored by a bullied student who threatened to show up at school "with 3 bombs, and a .22 handgun."
The adversaries reportedly used the email address firstname.lastname@example.org, after hijacking the domain of Zonix, a Dallas-based online online gaming company that provides Minecraft servers.
"Over the past few hours we were directly contacted by a group that threatened to send a bomb hoax spoofing our email domain in an attempt to directly smear and harm Zonix," states a series of tweets posted on Zonix's official Twitter account on Apr. 9. "We began to realize the threat was credible when we began hearing responses from school superintendents pertaining to this situation. We are aware that some schools might have been affected by this and we apologize for any inconvenience or panic that could have happened because of this situation.
Apophis Squad's account on Twitter, meanwhile, has been suspended. But a journalist with the Union-Democrat in Sonora, Calif. reportedly made contact with one of the hackers, who said the attack's motive was to taunt law enforcement, adding "We got nothing better to do." The hacker also stated future plans to leak information originating from a U.S. Army database.
Reportedly, the same perpetrators previously sent similar threats to UK-based schools in March 2018, using the domain of Zonix competitor VeltPvP.
Meanwhile, an unnamed community college in Florida was recently targeted in phishing campaign spoofing its campus-wide security alerts, according to a KnowBe4 founder and CEO Stu Sjouwerman, who warns in a company blog post that this scheme could easily spread to additional educational institutions as well as companies and organizations that have established active shooter protocols.
The email arrives with a subject line such as "IT DESK: Security Alert Reported on Campus," "IT DESK: Campus Emergency Scare" or "IT DESK: Security Concern on Campus Earlier," and instructs recipients to click a link to a memo containing proper instructions. However, the link leads to a credentials phishing page that imitates the Microsoft log-in process, which many campuses computers require.
"What makes this particular attack so infuriating," remarks Sjouwerman, is that it exploits current concerns over active shooters on education campuses, a sensitive issue that could likely generate panicked, reflexive clicks from recipients who are already on edge over the recent shooting at Marjory Stoneman Douglas High School, also in Florida."