Spam hoax targets numerous organizations triggering evacuations, lock downs  – strains corporate security teams and law enforcement resources

Spammers orchestrated a wave of bomb threats to a variety of businesses, schools and other organizations today across the US and other nations. The threat was demanding bitcoin in exchange for not detonating a supposed bomb. Many buildings were evacuated or locked down out of an abundance of caution. Even when organizations concluded the threat was a hoax, duty of care required many organizations to execute their threat response plans.

spam_bomb_hoax

Similar to another widespread sextortion scam campaign earlier this year, a sample of the threat reads as follows as below. Variants of this email were distributed naming different blasting explosives in the beginning of the email.

################################################################################

From: [REDACTED] <removed>
Sent: Thursday, December 13, 2018 12:14 PM
To: [REDACTED] <removed>
Subject: You are responsible for people

Good day. My mercenary carried a bomb [Tetryl, tronitrotoluene, lead azide, hexogen] into the building where your company is located. My man constructed the explosive device according to my guide. It can be hidden anywhere because of its small size, it is not able to destroy the building structure, but if it detonates you will get many wounded people. My recruited person keeps the building under the control. If he sees any unusual behavior, panic or policemen the bomb will be blown up. I can withdraw my man if you pay. You send me $20’000 in Bitcoin and the bomb will not explode, but do not try to fool me -I warrant you that I will withdraw my man solely after 3 confirmations in blockchain.

My payment details – [REDACTED]

You must solve problems with the transfer by the end of the working day. If you are late with the transaction the bomb will detonate. This is just a business, if you don’t send me the money and the bomb detonates, other companies will send me more money, because this is not a one-time action. To stay anonimous I will no longer log into this email account. I monitor my Bitcoin wallet every forty minutes and after receiving the money I will give the command to my person to get away.

If an explosion occurred and the authorities notice this email- We arent a terrorist society and dont take responsibility for explosions in other buildings.

##########################################################################

Sample of bitcoin of addresses reported:

1LeReNiUgHNXvvR8TpgQG1b5nzqoKeUxDY
1Dnw2qJxGFCZdE3PzCaVioBB9zERc7SzRB
1MTDXjt14YLEBDNxZ8WEq23FNa1QfHXMbc
15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM
19nShJMkTbP6VCVaoAjzzTQuXLPzXH1Qb7
14Rz7W71sXwmnwqZHLvXSf5s1vmpp9viFb
161JE4rHfvygXUVLya8N2WFptjwon2172t
1D3ArQebDneVBVCqLort9jwvUA3AoZaNq5
1BTuxsCpAGtCzcszvFV2g4beqAZ2AUnyFh
1GHKDgQX7hqTM7mMmiiUvgihGMHtvNJqTv

##########################################################################

There is no evidence that would suggest that this threat is real. The is no evidence any material or device mentioned in the threat have been discovered by any responding law enforcement agency. While DigitalStakeout has concluded that this campaign is a hoax, targets of this threat are urged to maintain a vigilant and proactive security posture.

This situation highlights the need for two areas all organizations need to address with digital risk management pertaining to this type of external threat.

First, organizations must  have proactive social media monitoring focused on security to support the rapid identification, triage and analysis of threats. When emerging threats or hoaxes break, decision makers will only execute an informed and calculated response with an intelligence-led and evidence based decision making process. In this situation, the sitution became a viral event on numerous social media channels well before breaking news reports.

Secondly, strong communication between corporate security and physical security teams is paramount. As cyber threats get “physcial” and create disruption and increase operational cost, tested and practiced workflows between department silos will reduce the risk that false positives will negatively impact the resoures of the organization and hyper escalate security costs. Proper communication between cyber security and physical security will also ensure that false negatives do not occur. It’s also important to assure that electronic bomb threats don’t end up in spam quarantines preventing corporate security teams and law enforcement resources with critical visibity into a potential threat.