Picture this: you open an email that looks like it’s from your school’s IT team, urging you to log in to check an urgent update. The page seems familiar, branded with a trusted name like Microsoft or GoDaddy. But it’s a trap–a phishing scam designed to steal your credentials. In early April, schools across the U.S. fell victim to such a sophisticated attack, targeting educators and staff with fake login pages. Here’s how this scam worked, why it’s a growing threat, and what you can do to protect your school community.
The Attack: Fake Logins Targeting Schools
These phishing emails led users to malicious websites hosted on a suspicious domain, heb6[.]ewetanign[.]ru. Each school received a slightly different version of the scam, tailored to blend in with their usual systems, but all had one goal: harvesting usernames and passwords. Schools are prime targets due to their large user bases, sensitive student data, and often stretched IT resources
How the Scam Fooled Users
The phishing pages were eerily convincing, using tricks to look legitimate.
Realistic Login Pages
Each school’s phishing site featured a fake login form branded with GoDaddy’s logo, mimicking Microsoft 3565’s interface. Here’s is an example seen while reviewing an attack on a school.
Sneaky URLs
The phishing links used the domain heb6[.]ewetanign[.]ru with different paths and parameters for each school:
URL 1 (School 1)
· Protocol: https://
· Subdomain: heb6
· Domain Name: ewetanign.ru
· Path: /wxhvfxckpcddvnwafemgoaqycfgyjpfQR3NHBBOYCJTSFBSVCBRMKZRP2KY
· Query: ?
· Parameters: UDPBMIXTBBYCUDANXUR
URL 2 (School 2)
· Protocol: https://
· Subdomain: heb6
· Domain Name: ewetanign.ru
· Path: /azzhlcxkbxhgcyztdindndfrihnrb8lpb4gcj3a777xuiu4rcwd1gsn
· Query: ?
· Parameters: KTXNXZITZQGVFPVE
URL 3 (School 3)
· Protocol: https://
· Subdomain: heb6
· Domain Name: ewetanign.ru
· Path: /nstekfenmnywhxavuiyvbrwnalrwuxopvwcuzBAQRT35SS561IJ73
· Query: ?
· Parameters: MZJQOGAMPSIVXEYCYWXKLKOPQB
URL 4 (School 4)
· Protocol: https://
· Subdomain: heb6
· Domain Name: ewetanign.ru
· Path: /eikwfgysxpnmiklvmmvpak2J39KBQ9UC3FRUWAGBIH6
· Query: ?
· Parameters: YOGNWPQAZJAYWQY
These cryptic URLs hid their malicious intent, making it tough for users to spot the scam. In the fourth attack, these URLs dynamically loaded stylesheets to perfect the fake login’s appearance.
Anti-Detection Tricks
The attackers used clever defenses to hide their tracks:
Blocking Developer Tools: Scripts stopped users from inspecting the page’s code, redirecting curious techies to legitimate sites like Amazon or eBay. The code block below is an example from a school that was targeted.
Clipboard Hijacking: Copying text from the page replaced it with gibberish (e.g., PSZjPRbktp in a school that was targeted), preventing users from sharing evidence.
Encrypted Data Theft: The sites used a tool called CryptoJS to encrypt stolen credentials before sending them to servers like oleyzq[.]ru and yvpnwx[.]ru.
School-Specific Twists
While the scams shared a common playbook, each had unique tweaks:
One School’s Monitoring: This landing page HTML included a script scanning for words like “guns” or “exploit,” likely to flag sensitive inputs in a school setting.
Another School’s Dynamic Design: Unlike the others, one school’s page used heb6[.]ewetanign[.]ru for stylesheets, loading them dynamically to stay flexible and harder to block.
Here’s how the pages compared:
| Feature | School 1 | School 2 | School 3 | School 4 |
| Blocks Developer Tools | ✅ | ✅ | ✅ | ✅ |
| Evades Webdriver/Burp | ✅ | ✅ | ✅ | ✅ |
| Debugger Redirect |
✅ (Amazon) |
✅ (eBay) |
✅ (HomeDepot) |
✅ (HomeDepot) |
| Clipboard Hijack |
✅ (PSZjPRbktp) |
✅ (CLgixPq0YD) |
✅ (eZDUELzxN0) |
✅ (nGktzcMgoK) |
| Uses GDSherpa Font | ✅ | ✅ | ✅ | ✅ |
| Similar HTML Structure | ✅ | ✅ | ✅ | ✅ |
| Background Image Source | Local Path | Local Path | Microsoft CDN | Microsoft CDN |
|
Suspicious scripts (randexp/crypto-js) |
✅ | ✅ | ✅ | ✅ |
| Hidden Quote Comments | ✅ | ✅ | ✅ | ✅ |
| Uses startnew Class | ✅ | ✅ | ✅ | ✅ |
| Content Filtering Script | ❌ | ❌ | ✅ | ❌ |
Why This Scam Was So Dangerous
The attackers used a shared template, tweaked for each school, to:
Look Legitimate: Identical meta tags (noindex, nofollow) hid the pages from search engines, while familiar designs built trust.
Stay Hidden: Anti-debugging scripts and multiple domains (oleyzq[.]ru, yvpnwx[.]ru, heb6[.]ewetanign[.]ru) made takedowns tough.
Steal Data Fast: Encrypted credentials were sent to remote servers, risking exposure of student and staff data.
Protect Your School from Phishing
This attack shows how sneaky phishing can be, but you can fight back:
Check URLs Carefully: Look for odd domains like ewetanign[.]ru. Stick to official sites (e.g., godaddy[.]com, Microsoft[.]com).
Enable Two-Factor Authentication (2FA): Adds a second layer of security, even if passwords are stolen.
Train Staff and Students: Teach everyone to spot phishing emails (e.g., urgent requests, weird links).
Report Suspicious Emails: Alert your IT team immediately to stop scams before they spread.
Use Antivirus Software: Tools can flag malicious sites, through vigilance is still key.
