Friday, July 6, 2012 

Daily Report

Top Stories

 • Six days after violent storms hit the United States, more than 500,000 homes and businesses remained without power from Ohio to Virginia as a heat wave baked much of the nation July 5. – Reuters 

1. July 5, Reuters – (National) 500,000 customers still without power after storms. Six days after violent storms hit the United States, more than 500,000 homes and businesses remained without power from Ohio to Virginia as a heat wave baked much of the nation July 5. Nearly a third of electricity customers in West Virginia, home to 1.9 million people, were without power, making it the hardest hit State. Utilities warned that some people could be without power for the rest of the week in the worst-hit areas. Temperatures in Charleston were expected to reach 95 degrees and top 100 degrees July 6-7. The storms crossed the eastern United States with heavy rain, hail and winds reaching 80 miles per hour June 29, leaving more than 4 million homes and businesses without power, and the record heat that followed has killed at least 23 people. Source:

 • A new version of the Sykipot trojan is targeting unsuspecting computer users, including attacks on attendees of an international aerospace conference, according to researchers. – Threatpost 

13. July 3, Threatpost – (International) New version of Sykipot trojan linked to targeted attacks on aerospace industry. According to researchers at the security firm AlienVault, a new version of the Sykipot trojan is being pushed to unsuspecting users in a wave of online attacks, including targeted attacks on attendees of an international aerospace conference, Threatpost reported July 3. The attacks use exploits for recently disclosed security holes, such as Microsoft's Windows XML Core Services vulnerability first disclosed in June. The new Sykipot variant also uses a collection of recently registered Web domains to issue malicious attacks. Most were registered in the last month and are linked to the same e-mail address, AlienVault disclosed. At least one of the new domains was linked to targeted phishing-email attacks on attendees of the IEEE Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders), AlienVault said. Source:

 • Lemont, Illinois police suspect someone hacked into the village’s tornado siren system, causing all seven sirens to sound for about 30 minutes, the police chief said. – Chicago Tribune 

50. July 3, Chicago Tribune – (Illinois) Hacker may have targeted Lemont's tornado sirens. Lemont, Illinois police suspect someone hacked into the village’s tornado siren system, causing all seven sirens to sound for about 30 minutes, the police chief said July 3. Three sirens were activated inexplicably in Evanston June 30, including two at fire stations, officials said. “Those sirens can only be triggered by our 911 dispatch center,” said the city’s division chief of life safety services. ”It’s not something that just anyone can do. We’re not certain on the source.” Source:

 • For the second time in weeks, Symantec security researchers uncovered a computer worm that forces network printers at organizations to suddenly print reams of useless data. – IDG News Service See item 58 below in the Information Technology Sector


Banking and Finance Sector 

16. July 5, Softpedia – (International) Fraud alert: ZeuS malware steals banking details via fake login pages. Security experts from Threat Metrix and the United Kingdom’s Action Fraud warned Internet users to be on the lookout for a new variant of the infamous Zeus malware that attempts to steal sensitive data by posing as genuine log-in pages, Softpedia reported July 5. The fraud starts with a normal lo-gin page, but once unsuspecting users enter their credentials, they are presented with a Web page that requests credit card information. In the case of social media sites, the victim is notified that by completing the form he can link his payment card to the account to make the acquisition of Facebook credits easier. This operation allegedly also offers enhanced security and even 20 percent cash back. The trojan is also able to adjust balances so victims are unaware of the fraudulent transactions. Customers of payment processors and companies from the retail industry are also at risk since most Web sites can be easily replicated, and for each situation the fraudsters can come up with apparently legitimate reasons for why the victim must provide credit card details. Source:

17. July 5, IDG News Service – (Maine; National) Federal appeals court raps bank over shoddy online security. Patco Construction Company of Sanford, Maine, may stand a greater chance of recovering some of the $345,000 it lost in fraudulent wire transfers that it blamed on poor online banking practices of its bank after a federal appeals court found the bank's online security measures were not "commercially reasonable," IDG News Service reported July 5. The company sued Ocean Bank, now called People's United Bank, after fraudsters made six wire transfers using the Automated Clearing House (ACH) transfer system, amounting to more than $588,000 in May 2009. About $243,000 was recovered. In its decision, the appeals court cited a critical mistake made by Ocean Bank as ACH fraud had become more prevalent. In June 2008, Ocean Bank decided to initiate "challenge questions" for any transactions for its customers valued at more than $1. Since the answers to the questions were displayed every time Patco made a transfer, this "increased the risk that such answers would be compromised by keyloggers or other malware that would capture that information for unauthorized uses," the ruling said. The court also found Ocean Bank was not monitoring its transactions for fraud, nor notifying customers before a suspicious transaction was allowed to proceed, both capabilities it possessed with its security system. Source:

18. July 3, Costa Mesa Daily Pilot – (California; International) Man convicted of credit card fraud. A Los Angeles man arrested in Costa Mesa, California, in August 2011 was convicted of stealing credit cards from the elderly, and was part of a network including conspirators from the United Kingdom, the Costa Mesa Daily Pilot reported July 3. The man was convicted the week of June 25 of six felonies, including charges of aggravated identity theft, bank fraud, and credit card fraud. Police said the man tried to flee after an employee discovered the card used was stolen and called police, but was caught and taken into custody. Costa Mesa police contacted and worked with federal authorities, who prosecuted an overarching case. Federal authorities said the man took control of about a dozen credit cards in a conspiracy involving British members who would allegedly impersonate cardholders and ask for replacement credit cards to be sent to different southern California drop locations. The Britons told credit card companies they were traveling in Southern California and would be making large purchases, according to the Department of Justice. The convicted man and others picked up the new credit cards, and, using the fake IDs, tried to buy more than $250,000 in luxury items. Source:

19. July 3, Federal Bureau of Investigation – (National; International) Massachusetts man pleads guilty to $6.9 million fraud scheme. A Boxford, Massachusetts man pleaded guilty July 3 to engaging in a fraudulent foreign investment scheme that defrauded at least 20 victims of more than $6.9 million. He pled guilty to one count of conspiracy to commit wire fraud. The man claimed to be the president of a business called Tracten Corporation, and from September 2005 through April 2008, he conspired with others to engage in a fraudulent scheme that required investors to pay a fee that would be used to secure large letters of credit through European financial institutions. Investors were told the initial payment was a commitment fee necessary to secure a multi-million-dollar letter of credit, and that they would receive a percentage monthly return on the total amount. He admitted that in 2005, he and another co-conspirator made multiple trips to Rome, Italy, to meet with bank officials to pitch the letter of credit program. Despite the bank’s refusal to participate, the conspirators secured an Internet domain name to set up an e-mail account that would appear to come from a bank representative and created fraudulent bank letterhead that also appeared to come from the bank. Source:

For another story, see item 51 below in the Information Technology Sector

Information Technology Sector

51. July 5, Help Net Security – (International) Phonebook-slurping, spam-sending app found in App Store. A malicious application that steals mobile users' phonebooks and uploads them to a remote server was spotted on Google Play and Apple's App Store. Kaspersky Lab researchers first though they were detecting an SMS worm, but after analyzing the "Find and Call" app, they discovered it was a trojan. It asks for permission to access user contacts. Once the phonebook is exfiltrated to the server, SMS spam messages containing a link to a page where the free app can be downloaded are sent to all the contacts, inviting them to use it to reach the sender. "It is worth mentioning that the ‘from’ field contains the user’s cell phone number. In other words, people will receive an SMS spam message from a trusted source," said the researchers. "Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store," they noted. The Web site of this app allows users to supposedly access their social network accounts, mail accounts, and even their PayPal account. However, by adding money to the PayPal account, they are actually transferring it to a company based in Singapore, Malaysia. Both Google and Apple were notified and removed the app from their markets. Source:

 52. July 5, Inquirer – (International) Sophos discovers an Android spam botnet. Security firm Sophos discovered Android malware that generates money for cyber criminals by running as a spam botnet. The malware, which is thought to come from downloading pirated programs from unofficial app stores, takes advantage of compromised devices by sending adverts for fake pills such as discounted Viagra and diet tablets, worthless penny stocks, and dubious electronic greeting cards. "The messages appear to originate from compromised Google Android smartphones or tablets," a senior security adviser at Sophos Canada said July 5. Source:

53. July 5, H Security – (International) TYPO3 updates close File Uploader vulnerability. The TYPO3 development team released updates for all currently supported versions of its open source content management system, fixing a number of bugs and closing a security hole in one of the TYPO3 Core components. According to the developers, the JavaScript and Flash Upload Library (swfupload) used in previous versions of TYPO3 did not properly sanitize the "movieName" parameter before calling "" This vulnerability could have been exploited by an attacker to execute arbitrary code in a browser session and conduct cross-site scripting (XSS) attacks. Versions 4.5.0 to 4.5.16, 4.6.0 to 4.6.9, 4.7.0, and 4.7.1, as well as the 6.0 branch development releases are affected; upgrading to TYPO3 4.5.17, 4.6.10, or 4.7.2 resolves the problem. Source:

54. July 5, Computerworld – (International) Microsoft to patch under-attack XML bug next week. July 5, Microsoft confirmed it will patch a vulnerability in Windows the week of July 9 that has been exploited by an increasing number of attacks. Initially, experts wondered whether Microsoft would patch the XML Core Services vulnerability in Windows that it first acknowledged June 12, but failed to fix even as attacks leveraging the flaw steadily ramped up. Source:

55. July 4, H Security – (International) Ransomware threatens to frame user and inform police. As well as encrypting files on a victim's computer, a new strain of ransomware discovered by security specialist Sophos threatens to contact the police about certain types of files if the system's owner doesn't pay a ransom of $3,727. When trying to access data that has supposedly been encrypted, users are presented with a message that instructs them to send a unique ID number to an e-mail address — in this case a Gmail or Live address — to obtain a password to unlock their files once they pay the ransom. However, according to a Sophos researcher, the Troj/Ransom-HC trojan also tells users that if they do not pay the ransom within 96 hours, the criminals will send a report to the police with a "special password" that will unlock files, said to contain spamming software and child pornography. The goal is to scare users into paying them quickly. Source:

56. July 4, H Security – (International) DNSChanger victims to lose internet on Monday. July 9, the FBI will turn off the DNS server that currently intercepts queries from DNSChanger victims. This means users infected with the malware will be almost completely unable to access the Internet normally. Therefore, users are advised to check whether their computers or routers use one of the FBI-listed IP addresses for DNS queries by visiting Users can also check their configuration manually by looking for an IP within several address ranges. If an address from one of the ranges is already set as the DNS server on the computer or router, it is infected with DNSChanger. Users can find out where to locate this DNS server information for their particular case using a wizard set up by the eco association. Future DNS queries can be made using servers such as Google's at Source:

57. July 4, Pittsburgh Tribune-Review – (International) Lithuanian admits ID theft plot. July 3, a Lithuanian national admitted in federal court in Pittsburgh to selling data to an undercover FBI agent that could have compromised the personal information of 10,000 people. The man, of Brick, New Jersey, pleaded guilty to selling 39 log-in names and passwords for $2,000 to the agent in 2008. An assistant U.S. attorney said the man hacked a data-hosting center, a firm that provides individuals and other companies computer space for Web sites, databases, and other information. The company confirmed 32 of the names and passwords would have given someone back-door access to the company’s computers and customer data. With that access, someone could have intercepted financial information from online transactions and installed viruses that would have infected other computers, the U.S. attorney said. The Lithuanian, using the identity “Dr. Smurf,” offered the log-in credentials for sale through a site called ”Dark Market,” the U.S. attorney said. The FBI took over the criminal exchange in 2006 and operated it for 2 years to gather information on people buying and selling identity information, he said. The FBI said the Dark Market investigation led to the arrest of 56 people and prevented an estimated $70 million worth of thefts. Source:

58. July 3, IDG News Service – (International) Security researchers link second malware program to rogue printing incidents. A computer worm that propagates by exploiting a 2010 Windows vulnerability is responsible for some of the recent incidents involving network printers suddenly printing useless data, according to security researchers from Symantec. Many companies reported unauthorized printing incidents in recent weeks, prompting antivirus firms to investigate the possible causes. June 21, Symantec reported the rogue printouts were the result of computers being infected with a trojan program called Trojan.Milicenso. However, they have determined the propagation routine of a separate piece of malware, a worm called W32.Printlove, can cause similar problems, a Symantec researcher said July 2. W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service patched in September 2010. Identified as CVE-2010-2729, this vulnerability was also exploited by the Stuxnet industrial sabotage worm to spread. The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer. Source:

59. July 3, Softpedia – (International) All Carberp cybercriminals arrested, but infection rates still high. Experts from ESET and Russian firm Group-IB have been closely monitoring the activities of Carberp botnets and their masters. They stated all the cybercriminals involved in these operations were arrested. The number of infected devices declined immediately after each series of arrests. Currently, however, the number of impacted computers is still high. "All the Carberp botnet organizers have been arrested, but our statistics aren't showing a big drop in detections. The Russian region leads as before for Carberp detections and after the arrests it showed a brief dip," said ESET's Security Intelligence team lead. Source:
For more stories, see items 13 above in Top Stories and, 16 and 17 above in the Banking and Finance Sector

Communications Sector 

61. July 3, Washington, D.C. Hill – (National) FCC examining storm damage to area phone networks after 911 calls failed. The Federal Communications Commission (FCC) was looking into the damage that the massive storm that swept from the Midwest into the Northeast June 29 caused to wireless and landline phone networks in the mid-Atlantic, the Washington, D.C. Hill reported July 3. As of early July 2, 16 percent of cell towers in West Virginia were still disabled. Nearly 11 percent of Maryland's towers were down, as well as 9 percent in Virginia, and 3 percent in Washington, D.C., according to the FCC. Widespread power outages also caused problems for many 9-1-1 call centers in the region. Source:

For more stories, see items 51 and 52 above in the Information Technology Sector