Thursday, February 23, 2012

Complete DHS Daily Report for February 23, 2012

Daily Report

Top Stories

• An international phone scam where callers in India posed as debt collectors bilked millions of dollars out of more than 10,000 U.S. residents by using threats of arrest or the loss of their jobs, authorities said. – Associated Press. See item 16 below in the Banking and Finance Sector.

• Code was published that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC. – InformationWeek. See item 34 below in the Information Technology Sector.


Banking and Finance Sector

11. February 22, Orange County Register – (California) Authorities: ‘Snowboarder Bandit’ robs Laguna Niguel bank. Deputies in Laguna Niguel, California, are investigating a bank robbery that occurred at 1:30 p.m. February 21 at a Chase Bank, with authorities briefly blocking off a parking structure at a busy Irvine shopping center to search for a suspect. Authorities believe the incident is tied to a serial robber known as the “Snowboarder Bandit,” suspected of carrying out at least seven Orange County holdups in Irvine, Laguna Hills, Anaheim Hills, Ladera Ranch, and Corona del Mar. In the latest robbery, the man handed the teller a note, then left with an unknown amount of cash, an Orange County Sheriff’s Department spokesman said. The “Snowboarder Bandit” earned his nickname due to his youthful appearance and the ski-type clothes he wears during robberies. Source:

12. February 22, U.S. Securities and Exchange Commission – (New York; International) SEC charges China-based executives with securities fraud. February 22, the U.S. Securities and Exchange Commission (SEC) charged two China-based executives with defrauding U.S. investors into believing they were investing in a Chinese coal business when in fact they were investing in an empty shell company. The SEC alleges Puda Coal Inc.’s chairman embarked on a scheme with its former chief executive officer (CEO) to steal and sell Puda’s sole revenue-producing asset, a coal-mining company named Shanxi Puda Coal Group. Just weeks before Puda Coal announced Shanxi Coal received a highly lucrative mandate from provincial government authorities, the chairman quietly transferred Puda’s 90 percent stake in Shanxi Coal to himself. In July 2010, he transferred a 49 percent equity interest in Shanxi Coal to CITIC Trust Co Ltd., a Chinese private equity fund. CITIC placed its 49 percent stake in Shanxi Coal in a trust and then sold interests in the trust to Chinese investors. The chairman caused Shanxi Coal to pledge 51 percent of its assets to CITIC as collateral for a $516 million loan from the trust to Shanxi Coal. In exchange, CITIC gave the chaurman 1.212 billion preferred shares in the trust. According to the SEC’s complaint, the transactions were not approved by Puda’s board or shareholders and not disclosed in SEC filings, which the chairman and CEO knew were materially false and misleading. During two Puda Coal public offerings in 2010, CITIC was separately selling interests in Shanxi Coal to Chinese investors while the chairman and CEO were still telling U.S. investors Puda Coal owned a 90 percent stake in that company. Puda Coal’s common stock was listed and traded on the New York Stock Exchange from September 2009 to August 2011. Source:

13. February 21, Gaithersburg Gazette – (Maryland; Virginia) Beltway bank bandit pleads guilty last week, faces life in prison. A Beltsville, Maryland man connected to at least 20 robberies in Maryland and Virginia pleaded guilty February 17 to bank robbery and handgun charges in federal court. He was originally facing 14 charges in a Montgomery County, Maryland court following his arrest by police September 16, 2011. A felony information filing January 31 ultimately charged the man with one count each of bank robbery, the possession of a firearm by a previously convicted felon, and the use of a handgun in a violent crime. Police in Montgomery County and Arlington and Alexandria, Virginia, said they linked the man to as many as 13 bank jobs in Montgomery and at least 10 in Virginia from July 2, 2010, to September 6, 2011. He faces a maximum sentence of life in prison and a $750,000 fine, according to his plea agreement. Police estimate he made off with at least $108,706 in total from his robberies. Source:

14. February 21, Atlanta Journal-Constitution – (Georgia) Sandy Springs police arrest suspects in credit fraud case. Authorities arrested a Sandy Springs, Georgia couple in connection with the theft of possibly hundreds of credit card numbers, the Atlanta Journal-Constitution reported February 21. The wife faces 29 charges of financial identity fraud. Her husband was arrested February 14 and faces a charge of financial identity fraud and possession of tools for the commission of a crime. According to Sandy Springs Police, managers at a Taco Mac restaurant suspected the woman of stealing credit card numbers while working as a server. In December 2011, her managers saw her remove a portable skimmer from her apron pocket. Police said the managers later found the skimmer in the woman’s coat pocket and notified authorities. Information retrieved from the device indicated 29 credit card numbers were illegally obtained while the device was in the woman’s possession, police said. Detectives executed another search warrant at her home February 14, where they recovered three commercial credit card reading and writing devices, along with dozens of prepaid gift cards containing information allegedly gleaned from customers. Source:

15. February 21, Escondido North County Times – (California) Local couple accused in mortgage fraud scheme. An Escondido, California real estate agent and his wife pleaded not guilty February 21 to conspiracy and other charges related to what federal prosecutors said was a $50 million mortgage fraud. The couple and seven others were named in an indictment unsealed February 21. They all face multiple counts of conspiracy, wire fraud, money laundering, and criminal forfeiture. The U.S. attorney’s office accused the defendants of taking part in a multimillion-dollar mortgage fraud scheme that targeted low-income immigrants in San Diego. According to the indictment, the husband owned and operated real estate and mortgage brokerage businesses in San Diego and employed the other seven named in the indictment. Prosecutors said he and his employees conspired to get mortgage loans for unqualified buyers by lying to lenders about their job and salary information. According to the indictment, the loans were processed by the man’s wife, who worked at a subprime lender. Prosecutors also accused the defendants of conspiring to create false financial records for the purpose of verifying the income listed on applications. Lenders supplied more than $50 million in loans based on the false documents, losing more than $15 million, according to the indictment. Source:

16. February 21, Associated Press – (California; International) Authorities say debt-collector scam bilked millions. An international phone scam where callers in India posed as debt collectors bilked millions of dollars out of more than 10,000 U.S. residents by using threats of arrest or the loss of their jobs, U.S. authorities said February 21. The callers, who apparently coordinated with someone in the United States, drew on personal data snatched from payday loan Web sites, a Federal Trade Commission (FTC) official said. Over a 2-year period, at least 20 million calls may have been placed, with phony collectors typically demanding around $500, but sometimes asking for as much as $2,000. The investigation of a scam with so many millions of calls flooding in from India was a first of its kind, the FTC’s Midwest director said. From 2010 to 2012, $5 million was paid in 17,000 transactions to accounts controlled by the alleged fraudsters, the FTC said. No criminal charges have been filed, but the FTC charged Villa Park, California-based American Credit Crunchers LLC, Ebeeze, LLC, and their owner with violating the FTC Act and the Fair Debt Collection Practices Act in connection to the alleged scheme. The owner allegedly withdrew thousands of dollars paid by victims that ended up in his company accounts, though the FTC said it was not clear if the scheme was directed primarily from California or India. Source:

For another story, see item 32 below in the Information Technology Sector.

Information Technology

31. February 22, Softpedia – (International) XSS flaw in Skype Shop may allow hackers to steal user accounts. A Georgian security researcher has identified major cross-site scripting (XSS) vulnerabilities on the Skype Shop Web site and in the Skype Application Programming Interface (API) site. The first site is the official Skype store where customers can purchase items including: headsets, phones, webcams, mobiles, and microphones. According to a blog post on the researcher’s personal site, the XSS flaw discovered on these sites could allow an attacker to hijack cookies if she manages to convince the potential victim to click on a specially designed link. If exploited successfully, a hacker could hijack the user’s session and even steal his account. Given the large number of visitors the site has, the vulnerability can be cataloged as being a “high risk” issue. The vulnerabilities were reported to Skype and the company’s representatives redirected it to Microsoft’s Security Response Center, which now handles certain problems found in Skype. Source:

32. February 22, Help Net Security – (International) New Zeus/SpyEye makes bots function as C&C servers. The latest build of the Zeus/SpyEye malware shows a change that could hamper security researchers’ ability to take down the botnets using it and to track the criminals behind them. According to Symantec researchers, a previous build already moved towards replacing the bot-to-command and control (C&C) system with peer-to-peer capabilities so the bots receive configuration files from other bots, and this new one has finalized the transition. “This means that every peer in the botnet can act as a C&C server, while none of them really are one,” said the researchers. “Bots are now capable of downloading commands, configuration files, and executables from other bots — every compromised computer is capable of providing data to the other bots.” Apart from making such a botnet practically immune to a takedown, the move also has the added benefit of making the tracking and blocking of IP addresses of the C&C servers obsolete. Source:

33. February 22, Softpedia – (International) ‘Dropper’ trojan hijacks critical DLL file to avoid detection. According to Bitdefender experts, the latest piece of malware, Trojan.Dropper.UAJ, hijacks a library file called comres.dll, and alters it to ensure that the malware steps into play each time it is being used. The dynamic link library (DLL) is utilized by many popular applications, including Web browsers, networking tools, and other apps that communicate online. Known as DLL load hijacking, this technique relies on the fact that many application are not programmed to use a certain library file, instead they utilize the one that is most accessible or placed in system folders. To ensure the success of this mechanism, Dropper makes a copy of the genuine comres.dll file, alters it, and then saves it in the Windows directory from where the operating system usually accesses it when needed. The trojan then drops a backdoor, identified by Bitdefender as Backdoor.Zxshell.B, which contains the code compromising the system. Once this is accomplished, cybercriminals can add and remove user files and rights, change passwords, and execute files with elevated privileges. Source:

34. February 21, InformationWeek – (International) Symantec pcAnywhere remote attack code surfaces. Code has been published that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC. The exploit details were made public February 17 in a Pastebin post from Alert Logic’s director of security research. Advertised as a “PCAnywhere Nuke,” the Python code can be used to create a denial of service by crashing “the ashost32 service,” he said. “It’ll be respawned so if you want to be a real pain you’ll need to loop this ... my initial impressions are that controlling execution will be a pain.” He said the exploit works even against the most recent, fully patched version of pcAnywhere (version 12.5.0 build 463 and earlier). “Symantec is aware of the posting and is investigating the claims,” said a Symantec spokeswoman. Source:

35. February 20, Help Net Security – (International) Researchers break video CAPTCHAs, offer solutions. After creating the “Decaptcha” software to solve audio CAPTCHAs, Standford University’s researchers modified it and turned it against text and, more recently, video CAPTCHAs with considerable success. Video CAPTCHAs are touted by its developer, NuCaptcha, as the best and most secure method of spotting bots trying to pass themselves off as human users. Unfortunately for the company, the researchers managed to prove that more than 90 percent of the company’s video CAPTCHAs can be decoded by using their Decaptcha software in conjunction with optical flow algorithms created by researchers in the computer vision field of study. One of the researchers shared the team’s results and many details about their findings February 17, saying that while discussing ongoing research is unorthodox in the security community, the numerous interactions he had with various companies over the last 3 years made him realize many people rely on research results to design CAPTCHAs. Source:

For more stories, see items 16 above in the Banking and Finance Sector and 38 below in the Communications Sector.

Communications Sector

36. February 22, Tallahassee Democrat – (Florida) Bird leads to cable outage. Almost 3,000 Tallahassee, Florida residents were without cable February 22 after a bird interfered with a switch on a utility pole. At about 12 a.m., a bird interfered with a utility pole in the Buck Lake area of Tallahassee, an assistant to the city manager said. A Comcast representative said the city cleared the area at 5 a.m., which allowed Comcast to repair damage to the cable. She said Comcast originally believed the outage was caused by a squirrel’s nest igniting. The fiber was cut when the pole was burned down, which led to a cable outage. The Comcast spokeswoman said it would be between 2 to 3 hours before the fiber was repaired due to the size of the cable. Source:

37. February 22, CNET News – (National) Verizon customers hit by another 4G LTE outage. Verizon’s 4G services continue to suffer growing pains with another outage being reported February 22 by users in several different states. A few customers in Michigan, Arizona, and Virginia posted messages about outages via the Verizon discussion forums, while Engadget received reports of data coverage being down in Indianapolis, Milwaukee, Phoenix, Pennsylvania, and Ohio. A tweet from the company highlighted this latest issue: “VZW is investigating customer issues in connecting to the 4GLTE data network. 3G data, voice and text services are operating reliably.” A Verizon spokesperson also confirmed the outage but said he had no further details. Though Verizon is claiming 3G data is unaffected, some commenters said otherwise. Engadget also said it heard from 3G customers reporting their service was down. Source:

38. February 22, H Security – (International) Report: IPv6 sees first DDoS attacks. Calling it a “milestone in IPv6 deployment,” Arbor Networks noted respondents in its seventh annual Worldwide Infrastructure Security Report said they observed distributed distributed denial of service (DDoS) attacks on their IPv6 networks. The network monitoring and security provider said there are now enough IPv6 end-points to make launching a DDoS over IPv6 possible. Although the IPv6 DDoS attacks “in the wild” were a milestone, the report does note their rarity points to low IPv6 market penetration. Source:

39. February 21, Daily North Salem – (New York) Phone service down in Somers, North Salem, Bedford. Telephone service provided by LightPath, a division of Optimum, failed in some sections of Somers, North Salem, and Bedford, New York, February 21. In Somers, offices without telephone service include the town’s offices, the parks and recreation department, and the Somers Library. As of 2:30 p.m., e-mail access was available and highway telephones were working. There was no indication of when power would be restored to the Lightpath phone lines. Meanwhile, in North Salem, phone service was also interrupted throughout the day February 21, according to a supervisor. The outage is due to a cut cable belonging to Optimum LightPath, a Bedford town clerk said. The company services the Westchester Telecom Network that manages communication in numerous Westchester County municipalities, including Bedford, North Salem, and Somers. Source:

For another story, see item 31 above in the Information Technology Sector.