Friday, February 18, 2011

Complete DHS Daily Report for February 18, 2011

Daily Report

Top Stories

Top Stories

• A major nuclear manufacturer reported a “substantial safety hazard” with control rods at more than two dozen reactors around the country, according to the Associated Press. (See item 8)

8. February 16, Associated Press – (National) Possible fuel rod hazard seen at some nuke plants. A major manufacturer in the nuclear industry reported a potential “substantial safety hazard” with control rods at more than two dozen reactors around the country, according to a report made public February 16 by the Nuclear Regulatory Commission (NRC). GE Hitachi Nuclear Energy said it discovered extensive cracking and “material distortion,” and likely would recommend the boiling water reactors using its Marathon control rod blades replace them more frequently than they had been told to previously. “The design life if not revised, could result in significant control blade cracking and could, if not corrected, create a substantial safety hazard and is considered a reportable condition,” the company said in its report to the NRC. An analyst with the Union of Concerned Scientists (UCS), and a former nuclear industry engineer who now frequently consults with groups critical of the industry, said the faulty blades could make affected control rods inoperable. “It could either slow down or stop the control rod from inserting” when plant operators were trying to reduce power or shut a plant down, the UCS analyst said. The former industry engineer said control rods “are like the brakes on a nuclear reactor. It’s almost like they have a 100,000 mile warranty on them and they need to be changed out at 40,000.” He added the reactors also have an emergency brake: an “explosive valve” to be used in emergencies when operators are unable to gain control of the reaction by inserting control rods. The valve forces water containing high levels of boron, which slows and eventually stops the reaction by absorbing neutrons. Source:

• The New York Times reports authorities arrested 74 members of a Southern California criminal organization that bilked $20 million from victims via bank fraud and skimming devices. See item 16 below in the Banking and Finance Sector


Banking and Finance Sector

13. February 16, Softpedia – (National) Dangerous IRS spam run in circulation. Security researchers from e-mail security provider AppRiver warn of a new IRS-themed spam campaigns that takes advantage of the tax filing period to distribute a variant of the infamous ZeuS banking trojan. The rogue e-mails bear a subject of “Your Federal Tax Payment Notice sn#######” (where # is a digit) and have forged headers to appear as they originate from an IRS address. The message advises recipients that their tax return filing was rejected by the Electronic Federal Tax Payment System (EFTPS) and asks them to correct the error. “Urgent Report! Your Federal Tax Payment ID: ########## has been rejected. Return Reason Code R21 - The identification number used in the Company Identification Field is not valid. “Please, check the attached information and refer to Code R21 to get details about your company payment in transaction contacts section,” the message reads. The attached file is called IRS-TAX-Notification-printing form-SN########(dot)zip and contains a variant of the ZeuS crimware that has a very low detection rate on Virus Total. Source:

14. February 16, Palm Beach Post – (Florida) 2 Boca Raton men plead guilty to cashing in on $10 million fraud. Two Boca Raton, Florida men February 16 pleaded guilty to cashing in on a $10 million illegal enterprise federal prosecutors said was fueled by loan officers at leading South Florida banks. The two suspects pleaded guilty in hopes of avoiding stiff sentences for their roles in the scheme run by Palm Beach Business Consultant Inc. In exchange for pleading guilty — the 45-year-old suspect to conspiracy to commit bank fraud and the 42-year-old suspect to the same charge plus mail fraud — prosecutors agreed not to seek maximum penalties when they are sentenced May 6. The 42-year-old, who made nearly $1.5 million through phony loan applications to various banks and devising a phony sale of his Wellington house, faces twice the punishment because he pleaded to two charges. Source:,0,5102571.story

15. February 16, KGUN 9 Tuscon – (Arizona) Bomb threat downtown causes road closures, evacuations. A bomb threat was received February 16 at the Bank of America Building in Tucson, Arizona that caused evacuations and road closures. A spokesperson with the Tucson Police Department told KGUN 9 that the threat was phoned to the building at 33 North Stone Avenue. It was received by the office occupied by personnel from the Pima County Attorney’s Public Defenders Office. Building management decided to evacuate. Police coordinated a search with an explosives detection K9/handler team from their explosives and hazardous devices detail. They were assisted by the explosives detection K9/handler teams from the University of Arizona and Pima County Sheriffs Department. No explosives threat was located and the building was declared safe for re-entry, the police spokesman said. Source:

16. February 16, New York Times – (California; National; International) Armenian power members arrested in southern California sweep. Law enforcement officials cracked down February 16 on a growing Southern California criminal organization with extensive international ties, arresting 74 members and associates of the Armenian Power crime group. The U.S. attorney’s office said more than 100 people affiliated with the Armenian Power organization — some still at large — had been charged with narcotics trafficking and kidnapping as well as sophisticated white-collar crimes such as a bank fraud scheme that cost victims at least $10 million. Nearly 100 of those charged were in Southern California, with the rest in Miami, Florida, and Denver, Colorado. “Sophisticated cybercrimes and identity theft are now as important a part of their criminal portfolio as traditional violence and fraud,” an FBI official said. In one complex scheme, the organization’s members, according to federal indictments, installed credit card “skimming” devices at cash registers in 99 Cents Only stores across Southern California that they used to steal information from hundreds of customers and create counterfeit credit and debit cards. In another scheme that went after elderly victims, Armenian Power members, in collaboration with a local African-American gang, bribed insiders at banks in Orange County to gather data that allowed them to take over bank accounts. In all, U.S. attorney’s office officials estimated the organization’s activities cost victims at least $20 million. Source:

17. February 16, Gwinnett Daily Post – (Georgia) FBI: Serial robber hits 2 Tucker banks. FBI Atlanta is asking for public assistance in identifying a serial bank robber who robbed two Tucker banks near the Gwinnett, Georgia line, officials said. In four metro Atlanta robberies during the month of February, the lone man used the same M.O. — passing a demand note to tellers before walking out with undisclosed amounts of cash, officials said. The most recent robbery happened about 1 p.m. February 15 at a Wells Fargo Bank at 2200 Mountain Industrial Boulevard. The previous day, the same man targeted a Best Bank branch at 4357 Lawrenceville Highway, officials said. In a February 7 heist, the suspect hit a Best Bank branch at 3479 Memorial Drive in Decatur, after hitting a Flagstar Bank at 2450 Piedmont Road in Atlanta 2 days prior, according to the FBI. The FBI Atlanta Special Agent in Charge described the black man as between 6 feet and 6 feet 4 inches tall, in his late 40s or 50s, with a medium build. In several robberies he wore prescription eyeglasses. Source:

For another story, see item 52 below in the Communications Sector

Information Technology

46. February 17, Help Net Security – (National) One in 10 IT pros have access to accounts from previous jobs. According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users’ electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. The results of the survey — conducted by Quest Software and Harris Interactive — underscore how these technologies, or lack thereof, are making it more difficult for employees to get their jobs done, and how they are causing greater concern about insider threats to IT security. Key research findings included that 1 in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they’ve left the organization; and 52 percent of employees admit they’ve shared their work log-ins and passwords with other co-workers, and vice versa. The results were based on two surveys of more than 1,000 employees and 500 IT decision-makers in the United States. Source:

47. February 17, The Register – (International) Chinese mobile malware powers click-fraud scam. Malware writers are trying to infect Chinese users of Android smartphones with a Trojan that poses as a wallpaper for the smartphone’s screen or other legitimate applications, such as the popular game RoboDefense. The mobile malware, dubbed Adrd or alternatively HongTouTou, has been seeded onto third-party mobile app stores in China. The official Android Market is not affected. If installed, the Trojan gathers the IMEI and IMSI numbers of compromised devices, uploading this information to a remote server, before generating counterfeit queries against particular search results. The malware specifically generated fraudulent clicks on the Baidu ad network, according to anti-virus firm AVG, which reckons the Trojan is the work of a group also producing malware targeting Symbian smartphone. Source:

48. February 17, Softpedia – (International) Blackhole-powered drive-by download attacks on the rise. Researchers from cloud security provider Zscaler warned of an increase in the number of drive-by download attacks executed with the help of the Blackholde exploit toolkit. Blackhole is a Russian Web attack hit similar to the more popular Eleonore or Phoenix kits. It features several different exploits that target Java, Adobe Reader, and Windows vulnerabilities. One of the author’s selling points is the heavy obfuscation, which makes the exploits hard to detect for antivirus programs. “Exploits crypt on special algorithms that make it impossible to code analysis and detection of anti-virus as well as services, Tipo wepawet and other counterparts,” a line in the kit’s description reads. A 1-year license costs $1,500, a half-year $700, while a 3-month use is $700. According to Zscaler researchers, a Google search for the URL pattern created by this kit on abused domains returns thousands of results. A malicious (dot)jar applet used by the Blackhole kit to exploit a 2009 Java vulnerability has a low detection rate on Virus Total and so does the infected executable it drops. Other vulnerabilities exploited by this version are the 2010 Windows Help Center flaw and a Windows Media Player one targeted through malformed ASX files. Source:

49. February 16, Help Net Security – (National) Smartphone users not aware of mobile security risks. More than a third of surveyed smartphone users are not aware of the increasing security risks associated with using their phones for financial purposes and to store personal data, according to a new survey by AVG and the Ponemon Institute. The study also showed that just 29 percent of surveyed smartphone owners have considered downloading free or paid anti-virus software to help protect their most personal devices. The survey targeted 734 U.S. consumers over the age of 18 who own a smartphone such as an iPhone, Blackberry, or Android device. Surveyed consumers also expressed a lack of awareness in respect to a number of key security issues faced by smartphone users. Source:

50. February 16, Softpedia – (International) Botnet ecosystem diversified in 2010. According to a recent report from security vendor Damballa, the botnet ecosystem has seen a lot of diversification in 2010 due to the launch of many do-it-yourself toolkits. Damballa, which specializes in botnet intelligence and protection solutions, found 6 of the top 10 botnets in 2010 did not exist 2 years ago, and that a single one was present in the top 10 for 2009. This suggests the botnet ecosystem has changed considerably, not only in market share leadership, but also in diversity. A botnet formed in the second part of 2010 as a result of the TDL master boot record (MBR) rootkit, took the top spot on Damballa’s list with 14.8 percent of all unique victims. This was almost three times more than the second place, a botnet distributing rogue antivirus software, which accounted for 5.7 percent of victims, or ZeuS with 5.3 percent, that came in third. Source:

Communications Sector

51. February 16, Softpedia – (International) U.S. hacker earns $8 million from German dial-up fraud scheme. A hacker from New Hampshire will be sentenced in February for his role in a fraud scheme that involved installing malware on the computers of German dial-up users. The fraudulent operation lasted from 2003 until 2007, during which time the hacker, 37, of New Hampshire, and his co-conspirators used a custom malicious program to abuse the modems of computers they infected. The program silently dialed premium rate phone numbers set up by the hackers in Germany, racking up fraudulent charges on people’s telephone bills. In total, the hacker is believed to have earned $7,941,336. The man faces a maximum of 10 years in prison, but under the plea agreement the U.S. Attorney will recommend 92 months. Because the targeted users were located outside of the United States, particularly in Germany, but possibly in other European countries as well, authorities asked victims to complete and submit impact statement forms via e-mail until February 23. The hacker is scheduled for sentencing February 28 in the Boston Federal Court. “Potential victims will not be contacted individually. Any persons determined to be a victim by the court will be contacted through appropriate law enforcement officials following the sentencing hearing,” the U.S. Department of Justice announced. Source:

52. February 16, Softpedia – (National) Most SMS spam related to financial fraud GSMA finds. The GSMA, an international association of mobile operators, has tested a new system designed to identify and block short message service (SMS) spam, revealing that as much as 70 percent of such activity is related to financial fraud. Dubbed the Spam Reporting Service (SRS), the system was developed in partnership with messaging security solutions provider Cloudmark. The SRS enables mobile users to forward SMS spam to a “7726” (SPAM) short code or 33700, a number already used for this purpose in some countries. The system automatically processes reports and informs carriers so they can take appropriate actions to block the attacks. The SRS pilot lasted from March to December 2010 and saw the participation of AT&T, Bell Mobility, KT, Korean Internet & Security Agency (KISA), SFR, Sprint, and Vodafone. The test showed the majority of spam campaigns were not related to advertising, as one might expect, but to financial fraud schemes. These include phishing attacks in which recipients are sent URLs to spoofed Web sites asking for their financial data. Others are social engineering scams that instruct people to call a number where attackers try to trick them into exposing their personal details. Frauds where victims are told to call or text premium rate numbers were also encountered, but attack types varied depending on continent. The GSMA was happy with how well the SRS performed and plans to recommend the technology to its 1,000 member companies. Source:

For another story, see item 47 above in the Information Technology Sector