Those fake active shooter calls to schools? A similar thing happened before

Just before 3 p.m. on a sunny Friday in September, police in Chillicothe, Ohio, received a message from dispatch: an active shooter had reportedly injured 24 students at Chillicothe High School and was still on scene.

Bodycam video shows the fraught minutes that ensued. Officers rushed to the school, some entering with their rifles and pistols drawn, running breathlessly through the hallways to find the right classroom.

But there was no shooter.

Students had been placed on lockdown, police units deployed and school staff were plunged into minutes of terror as a hoax unfolded. After finding no threat at the school, the officers regrouped in a school hallway. One said to the others, “Did you see the email we got today? Swatting. Somebody’s swatting the schools.”

Similar scenes have played out at schools across the country in recent weeks.

NPR has found local reports indicating 182 schools in 28 states received false calls about threats between Sept. 13 and Oct. 14. These have prompted a response known as “swatting,” where law enforcement swarms a location where a crime is reportedly in progress. Swatting incidents can be particularly dangerous, as officers often enter with force, guns drawn.

But in some of these places, the pattern behind this wave of hoax calls has felt familiar. Authorities in Minnesota have said it echoes what they saw in March and April, when a caller falsely reported bombs at schools in several states.

Now, NPR has obtained records that suggest that there may, indeed, be a connection.

Audio from one of those springtime hoax bomb alerts sounds markedly similar to the voice, accent and narrative behind recent active shooter calls that NPR has listened to from Virginia, Minnesota, Ohio and Florida.

Through an open records request, NPR has obtained detailed information about the phone number behind that call, made about a high school in Louisiana. The records shed further light on the person or entity behind these schemes, and how they systematically target local institutions.

‘A suspicious backpack’

On the morning of April 21, the Bossier Parish Sheriff’s Office in Louisiana received a call from someone saying there was “a suspicious backpack” in a classroom at Benton High School.

The caller, who sounded like a grown man with a North African accent, claimed to be a student. Students were evacuated from the school, the parish fire department deployed and the grounds were searched. No bomb was found.

Loading…

An investigation and report by the sheriff’s office, obtained by NPR though an open records request, found that the call came from an internet, or VOIP, phone number. It also found that the VOIP account was tied to IP addresses in Ethiopia owned by the AFRINIC network, and specifically to the Ethiopian state-owned phone and internet service called Ethio Telecom, based in Addis Ababa. On the day that Bossier Parish received a call from this number, so, too, had 79 other places across Louisiana, Arizona and New Mexico.

An NPR analysis of the number’s call logs between March 12 through April 21 offers a snapshot of how a mass hoax threat campaign may be conducted.

During a 40-day period, the VOIP number received or made 437 calls — all of them on just 10 of those days. But the usage pattern suggests that this phone number was really created with the purpose of making phone calls, because 80 percent of that activity was outgoing calls. The incoming traffic appeared to be mostly return dials from individuals or institutions that this VOIP user had called.

An examination of the number’s outgoing calls details a curious pattern of activity.

More than three-quarters of the calls placed were made on just three days: March 15, April 5 and April 21. On those days, the VOIP user spent between 6 and 8 hours systematically dialing — and often re-dialing — phone numbers. Sometimes with as few as four seconds between hanging up one call and dialing the next, the number reached 125 places.

The rapid-fire dialing of numbers also indicates that the user had a list of targets at the ready, and a specific focus on schools, law enforcement agencies, fire departments and emergency dispatchers. Together, these accounted for 92% percent of the places that the VOIP number called. And while the caller blanketed 19 different states, they tended to focus on a small number of states on the days they were most active. On April 5, the number made outgoing calls only to North Carolina and Ohio. On April 21, it was only calls to Louisiana, New Mexico and Arizona.

Loading…

NPR has reached out to Ethio Telecom for comment, as well as to the email address that was used to create the VOIP account. So far, neither has responded. NPR also called the VOIP number tied to this activity and reached the automated voicemail recording for the service carrier, a Canada-based company called TextNow.

For experts in VOIP and telephony fraud, the connection to TextNow is unsurprising.

/ Thomas Bender/Herald-Tribune/USA TODAY NETWORK/Reuters

/

Thomas Bender/Herald-Tribune/USA TODAY NETWORK/Reuters

Families wait to be reunited with their children following the report of an active shooter that turned out to be a hoax at Riverview High School in Sarasota, Fla., on Oct. 11. Sarasota law enforcement, state troopers, ambulances and fire trucks all responded to the false threat.

TextNow and VOIP fraud

For several years, Fred Posner has been tracking call center scams, technical support scams, fake threatening calls from the IRS, and more in his spare time.

Posner, a retired police officer from Florida who is now a VOIP consultant, says those numbers often end up being TextNow numbers. He’s been sending them to the TextNow company, sometimes tweeting in frustration. He sometimes hears back, but he worries it’s never fast enough.

TextNow is one of many free or low-cost Internet based calling platforms, similar to Zoom, Skype, or WhatsApp. It is easy to sign up for a new TextNow number. Using an NPR email address, it took less than a minute to choose an area code and generate a new number capable of making calls or texts from an Internet browser or phone.

But that facility in creating a number means the service is prone to fraud and abuse. Scammers have been known to use these numbers to make spam calls that ultimately aim to persuade targets to wire money. The numbers are also disposable. Users can sign up, use the number for a while, and make a new one if it gets reported. Posner said that while TextNow is a favored carrier for these scammers, it’s an industry-wide problem.

TextNow spokesperson Nick de Pass told NPR that “we place a high value on customer safety and privacy.” Specifically, he continued, “our internal security team works diligently to identify and disable accounts that are being used for illegal activity or violate our terms of service.” The company declined to comment on the specific false bomb alert in Louisiana.

But according to the investigative files obtained by NPR, Bossier Parish did receive records from TextNow detailing the email address, username, registration date, original IP address, and IP logs of the person behind the spring bomb scares.

“We quickly identified that he had a Gmail account and the registration IP address, along with a consistent IP address on the day that this occurred, [and that it all came] out of Ethiopia,” said Captain Shannon Mack, an investigator with the Bossier Parish Sheriff’s Office.

/ Thomas Bender/Herald-Tribune/USA TODAY NETWORK/Reuters/

/

Thomas Bender/Herald-Tribune/USA TODAY NETWORK/Reuters/

High school junior Eldrige Coronel, 17, hugs his mom, Veronica Padilla, after a report of an active shooter that turned out to be a hoax at Riverview High School in Sarasota, Fla. Oct. 11. Distraught parents waited for their children at the perimeter of the school as Sarasota law enforcement, state troopers, ambulances and fire trucks all responded to the false threat.

The Ethiopia Connection

To Mack, the evidence that the caller was operating out of Ethiopia was clear.

The IP addresses tied to both the TextNow activity, as well as the caller’s Gmail account, were all based in that country. She and other experts said it doesn’t appear that the caller was using a Virtual Private Network, or VPN, to disguise their location. For instance, Mack noted that on the day her office received the false bomb alert, the caller stayed on the same IP address through hundreds of calls they made over several hours.

“A VPN will generally change by itself, whether you log in or out, about every 30 seconds,” she said.

Additionally, TextNow has publicly said that it doesn’t allow its users to use its service if it detects they’re on a VPN.

But that doesn’t mean that the caller wasn’t using other techniques to make it falsely appear that they were in Ethiopia. For instance, it’s possible the caller hacked or found other means to access digital infrastructure in Ethiopia, in order to route their calls through the compromised network.

“I did find a fair amount of compromised Ethio Telecom IPs that are out there on various markets like Genesis and Russian Market,” said Keven Hendricks, referring to two online marketplaces on the so-called darknet, where illicit goods and services tend to be sold. Hendricks, an expert in cybercrime who has investigated swatting calls and VOIP abuse, said the activity of the caller behind the bomb hoaxes is not unprecedented.

“I have seen similar call patterns from swatters and people who abuse Voice Over IP services to create mass panic,” he said.

Ultimately, it may be difficult to track down exactly where this caller is located and who they are. But this is a key reason that experts like Fred Posner are calling for additional regulations or safeguards to allow VOIP providers to better detect fraudulent and abusive call schemes on their networks.

One major step TextNow took last Friday was to ban the entire country of Ethiopia from use of its service, to cut down on a high amount of fraudulent activity.

“”Our dedicated Trust & Safety team is taking aggressive action and proactively working with law enforcement to respond to these incidents, including banning all accounts associated with these calls,” wrote Nick de Pass, TextNow spokesperson in an email to NPR. “We have also added Ethiopia to our list of unsupported countries to help eliminate this activity from our platform, which means that all calling and texting from the country has been banned from our service.”

According to an industry source, VOIP services have chosen to ban other countries from their platform in the past when a pattern of abuse is established. Even so, criminals can find ways around measures like these.

TextNow publishes a scam round-up to alert users to potential fraud, and there are third party providers that work to automatically detect fraud which many voice and text providers work with–though they’re not infallible. (Without being able to listen in to calls, it’s difficult to clearly establish malicious behavior.)

Ultimately, there are challenges, and, perhaps, a lack of incentive, to proactively monitor for fraud on VOIP platforms before law enforcement serves a search warrant. Ultimately, the companies’ goal is to make it easier for people to communicate, not harder.

The challenge of investigating

Mack of the Bossier Parish Sheriff’s Office said she took the investigation in the Benton High School hoax bomb alert as far as she could.

“Because obviously we can’t go to Ethiopia,” she said, “and I have never had, in my personal experience as a police officer, anybody from Ethiopia co-operate with an investigation in United States.”

Mack said when she investigated the false bomb alert in April, there was no indication that federal authorities were paying attention to the scheme. But with the recent wave of hoax active shooter calls, police at the state level in several places and the FBI are taking an interest. The agency has said “we will continue to work with our local, state, and federal law enforcement partners to gather, share, and act upon threat information as it comes to our attention.”

Several localities denied open records requests from NPR, citing pending investigations by higher authorities. Nonetheless, information that others have released has shown that the active shooter scheme may be much wider-reaching than the bomb hoax was in the spring.

Between Sept. 19 and 23, at least eight different phone numbers were used to make false calls about active shooters. Of those, NPR confirmed that six numbers are offered through TextNow. Calls to the other two numbers either failed or were not returned.

Although it’s understood that swatting can have dangerous, and sometimes even fatal, results, experts say it’s too often left to local agencies to investigate. In a widespread, and seemingly coordinated, scheme such as the current wave of active shooter threats, that approach may not be sufficient. Hendricks said it is heartening to see that federal authorities are taking an interest.

“I really feel that it’s something we view more of a nuisance versus something that can be investigated and hold these people accountable,” he said. “That’s something that hopefully changes.”

In all this, the motive itself remains a mystery.

“I don’t know. [Maybe it’s] some type of what they think is an assault on the American way of life,” Mack said. “Especially disrupting schools, scaring parents and teachers and children. So I don’t know if that is what their gain is, just to cause that chaos.”

NPR’s Daniel Wood and Kaity Radde contributed to this story.

Copyright 2022 NPR. To see more, visit https://www.npr.org.