Perpetrators of bomb hox emails sent to around 100 schools in Delhi-NCR used a Russian email service that effectively helps users stay anonymous and avoid detection of their illegal activities by law enforcement.
India Today’s Open-Source Intelligence (OSINT) team conducted a preliminary forensic analysis of the email sent to one of the schools has revealed that the sender of the emails most likely did not provide any personal details to the Russian email service mai.ru, which is owned by social media and networking site VK or VKontakte.
advertisement
The sender, sawariim@mail.ru, used a free email service called Tempail that provides temporary addresses “which expire after 1 hour”. On its website, Tempail claims its temporary IDs can be used to sign up websites, and social media platforms like Facebook and Twitter. They can also be used to send and receive emails.
An email address “yus*******@gufum.com” was provided as the backup email account while creating sawariim@mail.ru, our analysis reveals. Many email validators also identified gufum.com as a temporary email domain.
India Today was able to set up a sham email address on mail.ru using the same temporary email provider within minutes, and without giving any concrete information that could later lead back to the account owner. This email has been discarded.
IS’s COPYCAT STYLE
The email senders appear to have copied the style used by the propaganda material of the notorious terrorist organisation, Islamic State (IS). For example, the username of the email goes by the name ‘Sawariim’, a distortion of the term ‘al-Sawarim’ which loosely translates to ‘The Swords’ in Arabic.
In a broader context, this term is associated with jihadist propaganda, specifically in media productions or operations named under this theme, typically intended to inspire or recruit supporters for their cause.
In jihadi terminology, Sawarim is widely linked with ‘Salil al-Sawarim’, a nasheed (melodic a cappella hymn) produced by the IS in 2014, in which the lyrics mention bloodshed and war.
But what are the possibilities that the IS could have sent these threatening emails? Highly unlikely. Delhi Police have categorised the threats as a “hoax” – an old pattern for high-end schools in the national capital.
“There are many explosive devices in the school,” reads the threat which is written in upper case in a font resembling ‘Lucida Console’. The rest of the text has been borrowed from online websites hosting the English version of the Quran’s verses.
The use of the Islamic State’s signature style and language is common practice among miscreants who want their threat to look genuine.
A closer look at the email also suggests that the senders have a sound technological understanding and are familiar with the IS lingo.
WHY TEMP MAILS ARE CONCERN
Temporary emails, also called disposable or burner emails, are meant to protect user privacy and security online. These services allow them to create email addresses that are valid for a short period, often used when signing up for websites of questionable trust or those likely to send spam.
By using a temporary email address instead of their main one, users can shield their personal email from unwanted messages and potential security risks associated with untrusted websites.
Temporary emails also prove useful in situations where users only require a single email, such as during registration for a download or contest. Additionally, they can be used to maintain anonymity while participating in online forums, surveys, or other interactions.
But as is the case with any good technology, temporary mails are often used for illegal and anti-social motives across the world.
On the contrary, mainstream email providers like Gmail and Yahoo require user data such as a phone number or an existing email address from a reputable provider for new registrations, which makes it easier for authorities to track their owners.
CHAOS IN DELHI-NCR
For hundreds of parents, Wednesday brought panic and worry for the safety of their school-going children as phones in the offices of the Delhi Police and the Delhi Fire Service (DFS) started receiving back-to-back calls for help.
However, “nothing objectionable” was found, officials said, requesting people to stay calm.
The schools were evacuated after local police were informed about the threat emails.
According to the DFS, at least 97 calls from different schools were received till noon on Wednesday. Multiple private schools in Noida and Greater Noida also received the bomb threat.
The Ministry of Home Affairs said it appeared to be a hoax threat and that there was no need to panic.
Delhi Police said it has conducted a thorough check of all schools that received the bomb threat but found nothing.
“Some schools of Delhi received emails regarding bomb threats. Delhi Police has conducted a thorough check of all such schools as per protocol,” Delhi Police said in a post on X.
According to Delhi police officials, the email is suspected to have been sent from “one source” to schools in Delhi and adjoining Noida and Greater Noida. Official sources told news agencies the content of the mail to every school was the same.
HISTORY OF FAKE THREATS TO SCHOOLS
Many popular private schools in Delhi-NCR have received fake threat calls regarding the presence of bombs on their campus, in the last 2-3 years. The most recent examples are the Delhi Public School in Delhi’s RK Puram and Amity International School in Pushp Vihar which received a bomb threat via email in February this year.
Indian School in Sadiq Nagar reportedly got two fake bomb threat calls – one in November 2022 and another in April 2023.
Similar incidents were reported at Lal Bahadur Shastri School in RK Puram and Delhi Public School in Mathura Road.
Tune In