Friday, November 4, 2011

Complete DHS Daily Report for November 4, 2011

Daily Report

Top Stories

• About 3,000 Occupy Wall Street demonstrators forced a halt to operations at the nation's fifth busiest port in Oakland, California, November 2. – Associated Press (See item 11)

11. November 3, Associated Press – (National) Occupy Oakland protesters force halt to operations at busy port. Several thousand Occupy Wall Street demonstrators gathering in Oakland, California forced a halt to operations at the nation's fifth busiest port November 2, escalating a movement whose tactics had largely been limited to marches, rallies, and tent encampments since it began in September. Police estimated a crowd of about 3,000 had gathered at the Port of Oakland by about 5 p.m. Some had marched from the city's downtown, while others were bused to the port. A port spokesman said maritime operations had effectively been shut down. The interim Oakland police chief warned that protesters who went inside the port's gates would be committing a federal offense. Organizers said they want to stop the "flow of capital." The port sends goods primarily to Asia, including wine as well as rice, fruits and nuts, and handles imported electronics, apparel and manufacturing equipment, mostly from Asia, as well as cars and parts from Toyota, Honda, Nissan, and Hyundai. Source: http://www.huffingtonpost.com/2011/11/02/occupy-oakland-port_n_1072955.html

• The Los Angeles Police Department bomb squad arrested a man November 2, stating he assembled an "incendiary device" and was likely moments away from setting it off near a busy shopping center. – KTLA 5 Los Angeles (See item 33)

33. November 2, KTLA 5 Los Angeles – (California) Man arrested after bringing explosive device to shopping center. The Los Angeles Police Department (LAPD) bomb squad arrested a man November 2, stating he assembled an "incendiary device" and was likely only moments away from setting it off near a busy shopping center. The bomb squad descended on the shopping center about 2 p.m. after police detained a man in the parking lot who was making verbal threats, LAPD officials said. Officers noticed the man had "suspicious" devices in his white SUV. After he was detained, he continued to make threatening statements, leading police to believe a bomb could be in the area, officials said. A bomb squad robot pulled an item out of the SUV, a LAPD official said. Detectives later determined the man had several pieces of a large incendiary device — meant to explode and start a fire — inside the SUV. The device was hooked up and ready to be detonated; officials said, and the man was likely only moments away from setting it off. Officers arrested the man on suspicion of possession of an incendiary device. The bomb squad evacuated several stores in the area, and blocked off traffic for several hours. Source: http://www.ktla.com/news/landing/ktla-bomb-squad-searching-in-tarzana,0,6546019.story

Details

Banking and Finance Sector

6. November 3, Shoreline-Lake Forest Park Patch – (Washington) Shoreline bank robbers charged in federal court. Two men in their sixties with long criminal histories accused of robbing three banks in Shoreline, Washington, and two in Seattle, were charged October 28 in the U.S. District Court of Western Washington with bank robbery, armed bank robbery, and using a firearm in relation to a crime of violence. One of the men was charged with robbing Key Bank in Shoreline of $2,136 July 6. Both were charged with robbing Washington Federal Savings in West Seattle October 20 of $4,976, and using a shotgun and semi-automatic pistol in that robbery. They are also suspected of robbing a Wells Fargo branch in Shoreline September 12 and Key Bank October 3, and a Key Bank in Seattle August 8. A cooperating witness met with police investigators September 30, according to federal charging papers, and told them the men were responsible for the Key Bank robberies. Source: http://shoreline.patch.com/articles/shoreline-bank-robbers-charged-in-federal-court

7. November 2, Orlando Sentinel – (Florida) Feds: Group stole card numbers with 'skimmers'. Federal authorities haccused owners of an Orlando, Florida mobile-phone business of using stolen credit-card numbers — obtained via "skimming" devices implanted at gas stations — to buy hundreds of thousands of dollars of merchandise at area stores. The two men, co-owners of Simple Mobile, were arrested November 1 on charges of conspiring to produce, use, or traffic in one or more counterfeit devices, following a lengthy U.S. Secret Service investigation. Three others are also accused of participating in the credit-card scheme, according to a criminal complaint filed in Orlando federal court the week of October 31. Agents said the group obtained credit-card numbers from skimming devices installed on Central Florida gas-station pumps, and then used equipment to manufacture credit cards, debit cards, and gift cards with the stolen numbers. A confidential source told authorities he saw one of the men use a card reader/encoder to re-encode cards with stolen credit-card numbers. The source also told authorities he saw about 1,000 Target gift cards on a single visit to the man's house. Those fraudulent cards were then sold at Simple Mobile, the source told authorities. Throughout their investigation, agents identified hundreds of thousands of dollars in fraudulent credit card purchases made at Target, Best Buy, Home Depot, and other stores. The group was already on the radar of Target asset-protection investigators when the Secret Service started its inquiry. Target investigators documented the fraudulent charges and identified the vehicles the suspects drove during their visits to the stores through surveillance video. American Express identified about $125,565 worth of fraudulent charges at Target related to the case, and Discover identified about $30,220, court documents said. American Express said the credit-card numbers were stolen at a Hess gas station in Winter Springs. The Secret Service accuses the group of using more than 175 fraudulent credit cards between January and October. On October 19, a U.S. Customs officer intercepted a package en route to Simple Mobile, which contained an embossing machine, a device often used to manufacture credit cards. Source: http://articles.orlandosentinel.com/2011-11-02/news/os-business-owners-credit-card-fraud-20111102_1_credit-cards-gift-cards-credit-card-scheme

8. November 2, Orange County Register – (California) Man suspected as ‘Stare Down' bandit arrested. A man suspected of being a serial bank robber known as the "Stare Down" bandit was taken into custody November 2 in Tustin, California, authorities said. Tustin officers and FBI agents working on a tip from an Orange County Sheriff's Department task force arrested the man they suspect of carrying out bank robberies in Tustin, Santa Ana, and Irvine, as well as an attempted robbery in Huntington Beach, an FBI spokeswoman said. The first robbery occurred at a Bank of the West branch in Santa Ana September 23, when the robber escaped with several hundred dollars, although a dye pack placed in with the money exploded in the bank's parking lot. On October 3, the robber took an undisclosed amount of money from a Bank of America in Irvine, hours after he left an attempted robbery earlier in the day after a clerk at a U.S. Bank branch in Huntington Beach refused to give him cash. The Huntington Beach attempt led to the "stare down" moniker, with FBI officials indicating the man stared at the clerk for a long time before leaving the bank after she refused to give him money. The latest suspected "Stare Down" bandit robbery took place October 31, when he took an undisclosed amount of money from a Bank of America branch in Tustin, the FBI spokeswoman said. In all four incidents, the bandit reportedly handed tellers notes and demanded money. He reportedly claimed to have a gun during the Santa Ana robbery, but there was no indication that a weapon was seen. Source: http://www.ocregister.com/news/bank-325122-down-bandit.html

9. November 2, Infosecurity – (International) Trusteer spots new trend in SpyEye/Zeus code development: webinjects. Trusteer reported that they have discovered a new type of extensible code that is being developed by cybercriminals when customizing banking trojans such as SpyEye and Zeus. The new code attacks are called webinjects. According to the in-browser Web security specialist, webinjects are now being offered for sale or rent on open Internet forums. They effectively allow anyone with spare cash to use them for fraudulent purposes. Trusteer, which collates data anonymously from the many millions of online banking service users that installed its Rapport browser plug-in, said webinjects are malware configuration directives used to inject rogue content in the Web pages of bank Web sites. They are then used to steal confidential information from the institution’s customers. The security software firm said that, from the advertisements its research team have seen, there are multiple targets, including British, Canadian, American, and German banks. Source: http://www.infosecurity-magazine.com/view/21767

Information Technology Sector

29. November 3, Softpedia – (International) InDesign license key emails spread new trojan. An e-mail that promises a license key for Adobe's InDesign CS4 turns out to be a malicious campaign that distributes a new trojan, which at the time of writing was detected only by 7 out of the 43 AV engines listed in Virus Total. MX Labs intercepted a lot of e-mails that come with the subject “Your InDesign CS4 License key.” The messages appears to be coming from a spoofed e-mail address that could fool users into believing it really came from Adobe. The example addresses discovered so far are account-no2532@adobe.com, information@adobe.com, or help-no.146@adobe.com. The ZIP file attached is called License_key_N7853.zip and once its content is extracted, the user is faced with a Licese_key executable that reveals itself to be the a piece of malware identified by Sophos as being Troj/Bredo-LK. Once it lands on a device, it copies itself to the Startup folder of the operating system, replicating a DirectX component. To make sure it cannot be easily detected, it creates a process called svchost which makes sure every time the computer starts, it can fulfill its mission. Each time it is executed, Bredo sends HTTP requests to a recently registered Russian domain. At the time it was found by the researchers, the trojan was only being detected by a handful of security solutions providers. F-Prot detected it as W32/Yakes.F.gen!Eldorado, and Symantec as Downloader.Chepvil. Source: http://news.softpedia.com/news/InDesign-License-Key-Emails-Spread-New-Trojan-231975.shtml

30. November 2, threatpost – (International) Microsoft mum on Duqu fix in November. Microsoft said it is looking into a reported zero day vulnerability in Windows used by the Duqu malware to spread, but is not committing to a patch for the problem in time for November's scheduled update. “Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware," the company said in a statement attributed to a member of the company's Trustworthy Computing effort. "We are working diligently to address this issue and will release a security update for customers through our security bulletin process.” Source: http://threatpost.com/en_us/blogs/microsoft-mum-duqu-fix-november-110211

31. November 1, IDG News Service – (International) Facebook denies vulnerability, then quietly fixes it. Facebook apparently fixed a vulnerability in its social-networking site after insisting it was not a weakness and did not need to be remedied, IDG News Service reported November 1. An employee who works for the technology consultancy CDW updated his blog November 1 to reflect the flaw had been fixed. The problem allowed a user to send another user an executable attachment by using Facebook's "Message" feature. The sender and the recipient did not have to be confirmed friends. The CDW employee, who notified Facebook September 30, found Facebook parses part of a POST request to the server to see if the file being sent should be allowed. Usually, executable files are rejected. However, the CDW employee found that if he modified the POST request with an extra space after the file name for the attachment, iwould go through. If a victim accepted the file, the person would still need to launch itfor malicious software to be installed. The danger is Facebook could be used for so-called spear phishing, or targeted attacks with the intention of loading malware on a victim's machine. Source: http://www.computerworld.com/s/article/9221368/Facebook_denies_vulnerability_the_quietly_fixes_it

See item 9 above in the Banking and Finance Sector

Communications Sector

See item 31 above in the Information Technology Sector