Wednesday, April 25, 2012

Complete DHS Daily Report for April 25, 2012

Daily Report

Top Stories

Officials worked to place booms to stop oil from getting into waterways after a stubborn fire at a recycled oil refinery in Utah County, Utah. The refinery could be closed for a few months. – KSL 5 Salt Lake City

4. April 23, KSL 5 Salt Lake City – (Utah) Officials investigating dangerous oil refinery fire. Federal, state, and local investigators and specialists are looking further into a fire at a recycled oil refinery in Utah County, Utah, the week of April 16. The fire shut down the plant and had crews scrambling to place booms in Utah Lake over fears of where the oil might go. The fire took place April 19 in an oil tank at Rock Canyon Oil in American Fork. It re-ignited a half-dozen times, the company general manager said. The firm believes the problem may have been a crack in a tube used to heat the oil tank, though the official cause has not been determined. April 20, officials with the Utah Department of Environmental Quality and Occupational Safety and Health Administration joined the Utah County Fire Marshal and city sewer workers in surveying the site. The refinery could be closed for a few months. According to a spokesman, tens of thousands of dollars of fire equipment was damaged or ruined by the fire. Rock Canyon Oil did not have a damage estimate yet, according to the general manager. Source:

An internal audit found many U.S. Environmental Protection Agency radiation monitors were out of service at the height of the 2011 Fukushima power plant meltdown in Japan. – Global Security Newswire

9. April 23, Global Security Newswire – (National) Audit confirms EPA radiation monitors broken during Fukushima crisis. An internal audit confirmed observers’ concerns that many of the U.S. Environmental Protection Agency’s (EPA) radiation monitors were out of service at the height of the 2011 Fukushima power plant meltdown in Japan, Government Security Newswire reported April 23. The report detailed problems with the agency’s “RadNet” monitoring system. Agency contractors are responsible for maintaining the monitors and repairing them when they are broken. However, according to the report, the EPA has not managed those contracts as high priorities, despite having identified the monitors as “critical infrastructure” under the 2001 Patriot Act. As a result, there have been numerous delays in repairing broken monitors. In addition, the agency has in many instances allowed filters to go unchanged for longer than the twice-per week that its policy dictates, the audit said. Because of these issues, 20 percent of the monitors were out of service the day the Fukushima crisis began, according to the report. Source:

• Russian-speaking hackers earned about $4.5 billion globally in 2011, using various online criminal tactics targeting the financial sector and individual bank accounts, a new report found. – IDG News Service See item 15 below in the Banking and Finance Sector

Copper thieves cut a fiber optic cable, knocking out broadband service to thousands of customers, including two sheriff’s stations, in the San Diego area April 24. – KNSD 7 San Diego See item 52 below in the Communications Sector

• A 6-alarm fire ripped through the top floor of a condominium complex in Marlborough, Massachusetts, leaving 67 people temporarily homeless. The fire also closed area roads and a courthouse. – Framingham MetroWest Daily News

54. April 24, Framingham MetroWest Daily News – (Massachusetts) Six-alarm fire in Marlborough leaves 67 homeless. A 6-alarm fire ripped through the top floor of a condominium complex in Marlborough, Massachusetts, April 23, leaving 67 people temporarily homeless. Firefighters from a dozen communities battled the fire much of the day, drawing water from nearby Lake Williams to increase the volume they poured onto the fire. Four firefighters were sent to the hospital with minor injuries and were released, a fire chief said. The fire appeared to have started in the top floor of the building, which was where residents stored property. Most of the fire was confined to the top floor, but the building received extensive water damage. Traffic on Route 20 was rerouted throughout the day and into the evening. The exits leading to Marlborough from Interstate 495 were also closed. Power was shut down to the area for firefighter safety, which forced Marlborough District Court to shut down for the day. Source:


Banking and Finance Sector

13. April 24, Help Net Security – (International) Phishing and malware meet check fraud. Trusteer recently uncovered a scam in an underground forum that shows how data obtained through phishing and malware attacks can be used to make one of the oldest forms of fraud — check forging — even harder to prevent. The scam involves a criminal selling pre-printed checks linked to corporate bank accounts in the United States, the United Kingdom, and China. The criminal is selling falsified bank checks made with specialized printing equipment, ink, and paper. For $5 each, they will supply checks that use stolen data provided by the buyer. However, to purchase checks that use stolen credentials supplied by the counterfeiter the cost is $50. Check data fields include personal information and financial data. To obtain all the required data, fraudsters typically must get their hands on a physical or scanned version of a real check in circulation. Many banking Web sites provide access to scanned versions of paid and received checks. Online banking log-in credentials obtained through malware and phishing attacks can be used to access a victim’s account and collect all the required information to commit check fraud. Also, before using the checks, fraudsters can ensure account balance is sufficient to approve the transaction. The criminal recommends using the checks to buy products in stores rather than trying to redeem them for cash. Buyers are encouraged to carry fake identification cards that match stolen credentials on the check. The check counterfeiter offers to provide these too. Source:

14. April 24, Associated Press – (Pennsylvania; Florida) More than $1M found in armored car heist arrest. Between $1.3 million to $1.5 million of the money that a man allegedly stole from the armored car he was working on has been recovered, along with the gun likely used to kill his co-worker in Pittsburgh, an FBI special agent said April 24. The special agent in charge, who heads the Pittsburgh FBI office, told reporters April 24 that the suspect led investigators to the money, which was part of the $2.3 million that went missing from the armored car he was paid to guard. The agent also said the suspect, who was being cooperative, had a pair of handguns with him when he was arrested in Florida, including the one supplied by his company, Garda Cash Logistics. He said the suspect had “indicated” that was the weapon used in the shooting and robbery. Source:

15. April 24, IDG News Service – (International) Russian cybercriminals earned $4.5 billion in 2011. Russian-speaking hackers earned an estimated $4.5 billion globally using various online criminal tactics and are thus responsible for 36 percent of the estimated total of $12.5 billion earned by cybercriminals in 2011, Russian security analyst firm Group-IB said in a report published April 24. The researchers estimate the total share of the Russian cybercrime market alone doubled to $2.3 billion, while the whole Russian-speaking segment of the global cybercrime market almost doubled, to $4.5 billion. In 2011, the cybercrime market was embraced by traditional organized crime groups trying to control the entire theft process. The cybercrime market has consolidated, with the rise of several major groups. This could lead to “an explosive increase of attacks” on the financial sector, the researchers warned. Online banking fraud, phishing attacks, and the theft of stolen funds increased within Russia and was the largest area of cybercrime, amounting to an estimated $942 million. In Russia, there also was a trend in targeting individuals rather than financial institutions for online banking fraud, and criminals mainly used Web-inject technologies and trojan programs to lead users to phishing sites. Source:

16. April 23, Help Net Security – (National; International) Bank of America phishing emails doing rounds. Fake warning e-mails are targeting Bank of America customers and asking them to update their account. With “Bank of America Warning : Error Statement” in the subject line, the vaguely credible HTML e-mail states the target’s “Bank of America account showed unusual activities this morning.” “What to do next? Sign in now to verify your logon details,” the e-mail urges. Unfortunately, all the links in the e-mail take the recipient to a spoofed Bank of America Web site, where they are asked to sign in by entering their log-in details and are prompted to share additional personal and financial information to “verify” their accounts. “The care and detail with which the scam email has been created makes this phishing scam attempt a little more sophisticated than some other such attacks and may fool at least a few bank customers into supplying the requested details,” according to Hoax-Slayer. Source:

17. April 23, Associated Press – (New York) NY attorney general files fraud suit against company that leases credit card machines. The New York attorney general (AG) April 23 sued a company that leases credit card machines to small businesses, claiming Northern Leasing Systems Inc. fraudulently attempted to drain more than $10 million from 100,000 former customers with expired leases. The AG’s office said the firm kept at least $3.5 million from the scheme launched in March 2011, while disguising it with a shell company called SKS Associates LLC. The complaint also names Northern Leasing affiliates Lease Finance Group LLC, MBF Leasing LLC, Golden Eagle Leasing LLC, and Lease Source-LSI LLC all operating from the same address. The lawsuit seeks restitution, disgorgement of profits, penalties, and fees. The AG said the investigation was prompted by more than 70 complaints, and the firm claimed it was collecting taxes and administrative fees previously unpaid. The suit cited two class-action lawsuits and hundreds of complaints against Northern Leasing alleging predatory sales and deceptive lease agreements. Leases typically had 4-year terms with automatic monthly payments that required customers to provide checking account and bank routing numbers. “Ultimately, over 77 percent of the amounts sought by SKS were not even taxes at all but merely alleged ‘fees’ related to the taxes,” the complaint said. “Respondents debited former customers with expired contracts, including many customers who had received releases from their contracts when they executed buyout options to purchase the equipment.” Source:

18. April 23, Reuters – (Louisiana; National; International) SEC charges SinoTech, execs. Securities regulators charged China-based SinoTech Energy Ltd. and its senior executives with misleading investors April 23, part of an effort to crack down on accounting problems at Chinese companies listed in the United States. The U.S. Securities and Exchange Commission’s (SEC) civil suit, filed in a U.S. district court in Louisiana, alleges the oil field services company and its executives “continuously and intentionally misled investors” about the value of its assets and how it used the $120 million in proceeds from its November 2010 initial public offering. The SEC alleges SinoTech’s chief executive officer and former chief financial officer were responsible for the fraud. The SEC also charged the company’s chairman, saying he stole $40 million from a SinoTech bank account. The investor protection agency is seeking financial penalties and to bar the executives from serving as officers or directors of U.S. public companies. SinoTech was previously listed on the Nasdaq market, but its shares were halted in August 2011, the SEC said. Nasdaq then suspended trading in October 2011, and delisted the stock January 6. Source:

19. April 23, U.S. Securities and Exchange Commission – (California) SEC charges former CalPERS CEO and friend with falsifying letters in $20 million placement agent fee scheme. The U.S. Securities and Exchange Commission April 23 charged the former chief executive officer (CEO) of the California Public Employees’ Retirement System (CalPERS) and his close personal friend with scheming to defraud an investment firm into paying $20 million in fees to the friend’s placement agent firms. The SEC alleges the two fabricated documents given to New York-based private equity firm Apollo Global Management. Those documents gave Apollo the false impression CalPERS had reviewed and signed placement agent fee disclosure letters in accordance with its established procedures. In fact, the pair intentionally bypassed those procedures to induce Apollo to pay placement agent fees to the friend’s firms. The false letters bearing a fake CalPERS logo and the CEO’s signature were provided to Apollo, which then went ahead with the payments. Based on these false documents, Apollo was induced to pay more than $20 million in placement agent fees it would not have paid without the disclosure letters. Source:

Information Technology

42. April 24, Softpedia – (International) Microsoft Office flaw exploited in the wild with malicious documents. Security researchers from McAfee warn the CVE-2012-0158 vulnerability that exists in Microsoft Office and other products that use MSCOMCTL.OCX is being exploited in the wild with the aid of maliciously crafted RTF, Word, and Excel files. The security hole was patched with the April 2012 updates, but many users failed to apply them, giving cybercriminals the opportunity to launch malicious operations. Experts found the specially designed files come with a vulnerable OLE object embedded, usually being served to users via unsolicited e-mails. When the malevolent file is opened, the victim sees a regular document presented as bait, but in the background, the a trojan is installed. The infection begins when the Word process opens the crafted document. The CVE-2012-0158 flaw is exploited and the shellcode in the OLE file is triggered. This shellcode is responsible for installing the trojan in the Temp folder. At this stage, the same shellcode starts a new Word process and opens the bait document, which is also dropped in the same Temp directory. The first process is terminated and the victim is presented only with the legitimate-looking document. Because in the first step the malicious element is executed and only then the genuine file is run, users whose computers are targeted may see that Word opens, quits, and then, almost immediately, re-launches to display the bait. Source:

43. April 24, The Register – (IDG News Service) Hackers now pick tools from script kiddies’ toybox – report. Hackers are increasingly turning to automated software tools to launch attacks. According to research from Imperva, more than 60 percent of SQL injection attacks and as many as 70 percent of Remote File Inclusion attacks (the two most common attack types) are automated. Remote File Inclusion attacks allows hackers to plant back doors on PHP-based Web sites. Tools like Havij and SQLMap are used by miscreants to probe for vulnerabilities and execute SQL injection attacks. These tools also employ techniques to evade detection, such as periodically changing headers or splitting attacks through controlled hosts to avoid black-listing. In the past, using attack tools was purely for novices but these attitudes are changing, said Imperva’s director of security strategy. Automatic attack tools can be used to attack more applications and exploit more vulnerabilities than any manual method, making them a useful adjunct for skilled attackers. Source:

44. April 24, IDG News Service – (International) India overtakes U.S. as top email spam source. The volume of e-mail spam that originated from India during the first 3 months of 2012 exceeded the volume coming from the United States and transformed the Asian country into the world’s top spam source, security firm Sophos said April 23. India was responsible for 9.3 percent of global e-mail spam traffic seen from January to March, according to Sophos’ latest Dirty Dozen report, which lists the top 12 countries from which most spam originates. The United States, which has been the traditional leader of the list, came in second place after India during the first quarter of 2012, at 8.3 percent. It was followed by South Korea with 5.7. The vast majority of spam is sent by computers infected with some type of malware and are part of a botnet, a senior technology consultant at Sophos said. “If you have a spam in your inbox, there’s an almost one in ten chance that it was relayed from an Indian computer.” Source:

45. April 24, IDG News Service – (International) Macs more likely to carry Windows malware than Mac malware, Sophos says. One in 5 Mac computers is likely to carry Windows malware, but only 1 in 36 is likely to be infected with malware specifically designed for the Mac OS X, according to study performed by antivirus firm Sophos. Sophos collected malware detection statistics from 100,000 Mac computers that run its free antivirus product and found that 20 percent of them contained one or more types of Windows malware. When stored on a Mac, Windows malware is inactive and cannot do any harm, unless that computer has Windows installed as a secondary OS. However, such malicious files can still be transferred unknowingly by Mac users to Windows machines via file sharing, USB memory sticks, external hard disk drives, and other removable media devices. Sophos’ analysis also revealed that 2.7 percent of the 100,000 scanned Macs were actually infected with Mac OS X malware, and a large part of those infections, 75 percent, were with the Flashback trojan. Source:

46. April 24, Softpedia – (International) TreasonSMS bug allows hackers to execute malicious code on iPhones. Researchers from the Vulnerability Lab found high severity HTML Inject and File Include security holes in TreasonSMS, an iPhone application that allows users to send text messages from their desktop computers by turning the phone into a SMS Web server. According to the experts, the vulnerabilities can be exploited remotely, allowing an attacker to “include malicious persistent script codes on the application-side of the iPhone.” The security hole can also be leveraged to inject Web shell scripts that would give cybercriminals complete control of the affected application directory. If the device is jailbroken, things become even more complicated. On tampered iPhones, an attacker could take control not only of the application folder, but also of the entire phone. Source:

47. April 24, The Register – (International) Number-munching clouds are godsend for cybercrooks - experts. Cloud computing providers recently came under fire from security experts who blamed them for giving cyber criminals the tools to launch attacks more easily, efficiently, and anonymously than ever before. Speaking at the fourth InfoSecurity Summit in Hong Kong April 24, a senior consultant at the city-state’s computer emergency response team argued that crooks are making the most of the sudden rise of distributed number-crunching services. “They are using it more efficiently for Web hosting and they can subscribe to cloud services to get bandwidth on demand,” he said. “They can hack computers thanks to the computing power of Amazon and it’s very hard to trace them. We need to solve this problem with the cloud service providers.” Source:

48. April 23, eSecurity Planet – (International) Anonymous hackers dominate IT security pros’ fears. According to the 2012 Bit9 Cyber Security Research Report, 64 percent of IT security professionals believe their organizations will be targeted by cyberattacks within the next 6 months, and 61 percent say those attacks are most likely to be led by members of Anonymous or other hacktivists. However, the attack methods that dominate security pros’ concerns are not tied to Anonymous. Forty-five percent of respondents are most worried about malware attacks, and 17 percent are concerned about spear phishing (both common attack methods for cybercriminals and nation states), while Anonymous’ favored method, the distributed denial-of-service attack, leads the concerns of only 11 percent of respondents. Source:

49. April 23, Threatpost – (International) Google ups bounty for bugs to $20,000. Google said it is updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services, and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features. The company said it would also begin distinguishing between the prices paid for vulnerabilities in high risk applications — such as Google Wallet — and those in lower risk applications and products from what it terms “non integrated acquisitions.” Source:

50. April 23, ZDNet – (International) New Flashback variant silently infects Macs. The Flashback trojan that infected more than 600,000 Apple Macs earlier in April still reportedly has a very high infection rate, despite the fact Apple patched the Java vulnerability and released a removal tool. Now, security firm Intego says it discovered a new Flashback variant that installs without prompting the user for a password. This version, which Intego refers to as Flashback.S, places its files in the user’s home folder. Once Flashback.S is done installing itself, it then deletes all files and folders in ~/Library/Caches/Java/cache to hide remove the applet from the infected Mac. This is done to avoid detection or sample recovery, according to the security firm. Two other Mac-specific trojans were discovered since Flashback’s hype: one that also exploits Java and another that exploits Microsoft Word. Source:

For more stories, see items 13, 15 and 16 above in the Banking and Finance Sector and 52 below in the Communications Sector

Communications Sector

51. April 24, WZZM 13 Grand Rapids – (Michigan) Dispatch phone problems easing. Emergency dispatchers in Montcalm County, Michigan, reported problems with cellular phone service in the Greenville area that may be linked to landline problems in Kent and Ionia counties, WZZM 13 Grand Rapids reported April 24. A fiber optic line cut in Kent County’s Grattan Township caused the problems. Kent and Ionia County dispatchers have said their problems with landline service have been fixed. Source:

52. April 24, KNSD 7 San Diego – (California) Thousands, not millions, of broadband lines interrupted in Alpine: Centurylink. Broadband lines used by many customers in the San Diego area were down when a fiber optic cable was cut early April 24 officials said. Someone cut the connection between midnight and 1 a.m. in the rural community of Alpine east of San Diego. Seventy-five feet of fiber optic cable was taken along with 6 feet of 600 strand copper cable according to the San Diego County Sheriff’s Department. An estimated 10 million broadband lines were down according to deputies. A crew was working April 24 to repair the bundle of copper lines that were compromised. Deputies said the Alpine Sheriff’s Station and the Pine Valley Sheriff’s Station were affected by the interruption of the broadband lines, however the incident did not interrupt 9-1-1 service. Just after midnight a representative for Century Link Fibertron received notification the lines were down, officials said. The fiber optic cable involved is considered the backbone of the company’s nationwide network deputies said. A Centurylink spokeswoman said a man crawled into a manhole and cut into the network to try to steal the copper cable. She said thousands, not millions, of customers were affected by the outage, and she expected the network to be restored by 1 p.m. Pacific Time. Three cables were involved in the incident according to an AT&T spokeswoman. One cable was Centurylink’s, she said. While some AT&T cell sites were affected by the attempted theft, crews were working to gauge how many customers were without service, she said. Source:

53. April 23, Government Security News – (National) FCC adds VoIP and broadband providers to its disaster reporting system. The U.S. Federal Communications Commission (FCC), which has already established a Disaster Information Reporting System (DIRS) to gather contact information from wireless, wireline, broadcast, cable, and satellite communications providers that might be useful during an emergency, has decided to expand the coverage of the DIRS to include Voice over Internet Protocol (VoIP), Internet Protocol, and broadband Internet Service Providers. The FCC decided to take this step because so many consumers, businesses, and government agencies have come to rely on broadband and VoIP services for their everyday and emergency communications, according to a Federal Register notice posted by the FCC April 23. Source:

For another story, see item 46 above in the Information Technology Sector