Monday, October 29, 2012


Daily Report

Top Stories

 • A Los Angeles-based accountant who admitted to participating in a $100 million mortgage fraud scheme by creating fake documents for straw buyers pleaded guilty October 25 to wire fraud. – Courthouse News Service

6. October 25, Courthouse News Service – (California; Washington) Fraud ring guilty of $100 million in fake mortgage applications. A Los Angeles-based accountant who admitted participating in a fraud scheme by creating fake W-2 forms, pay stubs, and other records for straw buyers so that her fellow conspirators could collect more than $14.5 million in kickbacks from fraudulently obtained mortgage loans pleaded guilty October 25 to wire fraud. In entering her guilty plea, she admitted reviewing payment records that showed the kickbacks were collected from the fraudulent purchase of $100 million in properties. A federal grand jury in September handed up superseding indictments charging a Laguna Hills loan processor for submitting false loan applications using falsified documents to mortgage lenders on behalf of straw buyers in the same scheme, a U.S. Attorney said. In addition, the loan processor allegedly maintained what he called a “pipeline” of additional properties to purchase as part of the scheme, each of which included an additional $100,000 or more in potential kickbacks. The accountant and loan processor joined other defendants that include an unlicensed mortgage broker, a Ramona real estate agent, the mortgage broker’s assistant, and a Seattle businessman. As alleged in court records, the defendants carried out their scheme by recruiting “investors” through the Internet and advertisements in the Los Angeles Times. Each was a straw buyer promised $10,000 for their role in the scheme. Source: http://www.sandiego6.com/news/local/Wire-Fraud-Ring-Guilty-of-100-Million--175907611.html

 • A New York City Police Department officer who allegedly used law enforcement databases to plan to kidnap, cook, and eat as many as 100 women was arrested following a joint NYPD and FBI investigation. – ABC News

23. October 25, ABC News – (New York) ‘Cannibal’ cop plotted to eat 100 women: Feds. A New York City Police Department (NYPD) officer who allegedly planned to kidnap, cook, and eat as many as 100 women was arrested following a joint NYPD and FBI investigation, ABC News reported October 25. The officer was charged with one count of conspiracy to commit kidnapping, according to a federal criminal complaint, as well was using the National Crime Information Center database to access unauthorized data. The complaint alleged that he exchanged electronic messages with an unnamed co-conspirator “about kidnapping, cooking and eating body parts of [Victim 1].” He allegedly created computer files pertaining to “at least 100 women and containing at least one photograph of each woman.” According to the complaint, he used law enforcement databases to conduct surveillance on potential victims. A U.S. Attorney for the Southern District of New York said the investigation was ongoing. Source: http://abcnews.go.com/Blotter/cannibal-cop-plotted-eat-100-women-feds/story?id=17562584#.UIquLK7TKCx

 • The CoDeSys software tool used to manage equipment in power plants, military environments, and nautical ships contains an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorization. – Ars Technica See item 31 below in the Information Technology Sector

 • Kentucky State Police searched for the suspect who called in several bomb threats in Monroe County, forcing evacuations at several businesses, schools, and government offices. – WTVF 5 Nashville

32. October 26, WTVF 5 Nashville – (Kentucky) Businesses evacuated after bomb threats in Tompkinsville. Kentucky State Police searched for the suspect who called in several bomb threats in Monroe County, forcing several evacuations, WTVF 5 Nashville reported October 25. Among the buildings threatened were a school, an office, a store, and restaurants in Tompkinsville. The first call came in October 25 and started a chain reaction that shut down the entire small town. One of the first places to get a threat was Tompkinsville Elementary School. Officials said the students had to be evacuated. Some were sent to a nearby National Guard armory where parents picked them up. All Monroe County schools were shut down as a precaution. The local Walmart, McDonald’s, and Sonic all got the same call — as did the law offices of the Monroe County Attorney. Police went building to building, checking for explosives. None were found, but each location was evacuated as a precaution, forcing people to wait hours until it was deemed safe. Source: http://www.newschannel5.com/story/19913136/businesses-evacuated-after-bomb-threats-in-tompkinsville

Details

Banking and Finance Sector

6. October 25, Courthouse News Service – (California; Washington) Fraud ring guilty of $100 million in fake mortgage applications. A Los Angeles-based accountant who admitted participating in a fraud scheme by creating fake W-2 forms, pay stubs, and other records for straw buyers so that her fellow conspirators could collect more than $14.5 million in kickbacks from fraudulently obtained mortgage loans pleaded guilty October 25 to wire fraud. In entering her guilty plea, she admitted reviewing payment records that showed the kickbacks were collected from the fraudulent purchase of $100 million in properties. A federal grand jury in September handed up superseding indictments charging a Laguna Hills loan processor for submitting false loan applications using falsified documents to mortgage lenders on behalf of straw buyers in the same scheme, a U.S. Attorney said. In addition, the loan processor allegedly maintained what he called a “pipeline” of additional properties to purchase as part of the scheme, each of which included an additional $100,000 or more in potential kickbacks. The accountant and loan processor joined other defendants that include an unlicensed mortgage broker, a Ramona real estate agent, the mortgage broker’s assistant, and a Seattle businessman. As alleged in court records, the defendants carried out their scheme by recruiting “investors” through the Internet and advertisements in the Los Angeles Times. Each was a straw buyer promised $10,000 for their role in the scheme. Source: http://www.sandiego6.com/news/local/Wire-Fraud-Ring-Guilty-of-100-Million--175907611.html

7. October 25, Sunshine State News – (Florida) State Attorney: Seven charged in mortgage fraud. Six individuals from south Florida and one Orlando resident were charged as part of a mortgage fraud scheme that totaled nearly $5 million, according to the Florida Attorney General and Miami-Dade Police Department October 25. According to the release, the scheme operated with straw buyers who used their names and credit to purchase numerous properties. Once the loan had been secured and records reflected a price well over the actual price paid to the seller, a variety of financial exchanges would take place to make the purchase appear legitimate. The laundered money would then go back to the closing agent’s escrow account and be characterized in the records as the cash brought to the closing by the straw buyer. Those arrested face charges including grand theft and organized fraud. Source: http://www.sunshinestatenews.com/blog/state-attorney-seven-charged-mortgage-fraud

8. October 25, Wall Street Journal – (International) Moscow police arrest internet scam suspects. Russian authorities charged nine West African immigrants with allegedly stealing $28.8 million from hundreds of foreign companies through what police described as an elaborate scheme using bogus passports bearing names that appeared very similar to those of major Russian companies like Gazprom, Rosneft, and Murmansk Shipping Company, the Wall Street Journal reported October 25. The alleged scam targeted firms dealing in minerals, oil and gas, and other commodities operating in the United States, the European Union, China and South-East Asia and had been going on for many years, Russia’s interior ministry said in a statement. The alleged fraudsters managed the ruse by using the companies’ Russian names on the bogus IDs, which tricked the companies into thinking they were actually doing business with real firms. Raids on the homes of seven of the suspects uncovered counterfeit documents, bogus notary stamps, falsified company paperwork, and printing equipment capable of producing it all, the police said. Investigators said the proceeds of the scam appeared to have been sent to Africa. Source: http://blogs.wsj.com/emergingeurope/2012/10/25/moscow-police-arrest-internet-scam-suspects/

Information Technology Sector

25. October 26, Softpedia – (International) DoS vulnerability found in wireless chips used by Apple, HTC, Samsung, Ford, others. Researchers from Core Security’s Core Impact team uncovered a remotely exploitable vulnerability in Broadcom BCM4325 and BCM4329 wireless chipsets that could be leveraged by cybercriminals to launch a denial-of-service (DoS) attack. According to advisories published by the U.S. Computer Emergency Readiness Team (US-CERT) and Core Security, the vulnerability is caused by an out-of-bounds read error condition that exists in the chips’ firmware. Apparently, an attacker sending an RSN (802.11i) information element can cause the WiFi NIC to stop responding. The flaw affects Apple, HTC, Samsung, Acer, Motorola, LG, Sony Ericson, and Asus products, including iPhone 4, iPod 3G, Xoom, Galaxy Tab, Nexus S, and Evo 4G. The Ford Edge car is also affected. The experts notified Broadcom and although there were some communication problems, the company released an official statement to say a patch was developed. Since many of the affected products are out of service, the patch will be provided to customers on a case-by-case basis. Source: http://news.softpedia.com/news/DOS-Vulnerability-Found-in-Wireless-Chips-Used-by-Apple-HTC-Samsung-Ford-Others-302384.shtml

26. October 26, The H – (International) Germany gets the most malicious spam. German email users unseated users from the United States as the recipients of most malicious email messages. According to a report on September’s spam by Kaspersky, Germany hit the top of the chart with 13.87 percent of malicious mail being directed at its users, followed by Spain (7.43 percent), Russia (6.85 percent), India (6.39 percent), Vietnam (5.95 percent), Australia (5.94 percent), China (5.80 percent), and the United States (5.62 percent). The United States led the chart for the previous 8 months. Overall, Kaspersky says 3.4 percent of all emails contained malicious files, a drop of 0.5 percentage points compared to August. Germany saw a six percentage point rise in its detections and Spain saw a four percentage point rise, while United Kingdom’s share dropped two percentage points to 4.67 percent. It was also a month for drastic changes in the top 10 malware detected by Kaspersky. Long-term leader “Trojan-Spy.HTML.Fraud.gen” fell out of the top 10 completely, giving its top spot to “Backdoor.Win32.Androm.kv” (aka Backdoor.Trojan and PWS-Zbot.gen.ana), a backdoor trojan which enables remote access, being found in 6.32 percent of the malicious emails. It was followed by “Email-Worm.Win32.Bagle.gt”, an email address harvester and malicious program downloader, and then the “Email-Worm.Mydoom.m” and “Mydoom.l” email address harvesters. Also in the top 10 were 4 ransomware trojans. Source: http://www.h-online.com/security/news/item/Germany-gets-the-most-malicious-spam-1737717.html

27. October 26, Wired – (International) Man claiming half of Facebook arrested on fraud charges. A man claiming to own half of Facebook was arrested October 25 and charged with a multibillion dollar scheme to defraud the social-networking site and its chief executive and founder. The man, of Wellsville, New York, filed a federal lawsuit in 2010, citing documents and a contract between him and Facebook’s CEO that promised him half the company. Facebook made it clear from the beginning that it believed the contract and emails the man produced as evidence were fakes. Facebook told a federal judge that its forensic examiners proved that a 9-year-old contract the man submitted to the court was “forged.” The analysis also claimed that 27 emails between Facebook’s CEO and the man — some of which mention Facebook — were “fabricated” by the man. Facebook’s CEO has said all along that an authentic “Work for Hire” contract between the two involved another project. The man hired Facebook’s CEO to work his StreetFax company nearly a decade ago, the CEO claimed. The man, however, alleges the contract also included fronting Facebook’s CEO $2,000 in exchange for half of Facebook when he was a college student. Federal authorities agreed with Facebook’s CEO and its forensic analysis. The man is accused of one count of mail fraud and one count of wire fraud, authorities said. Each count carries a maximum 20-year term. Source: http://www.wired.com/threatlevel/2012/10/facebook-fraud-arrest/

28. October 26, The H – (International) Exim mail servers susceptible to DKIM attacks. There is a critical vulnerability in functions for verifying DomainKeys Identified Mail (DKIM) signatures in the widely used open source mail server Exim. The problem appears to be a buffer overflow on the heap which can be exploited by crafted DNS records to inject code that could compromise the server. According to an announcement on the Exim mailing list (alternative list archive), versions 4.70-4.80 are affected, if DKIM support is included. The developers released version 4.80.1 which specifically fixes this vulnerability. To avoid confusion, the next version will not be named 4.81. As a workaround, DKIM verification can be disabled using the option “warn control = dkim_disable_verify” within an ACL. Both Debian and Ubuntu released packages in which the vulnerability is fixed. Source: http://www.h-online.com/security/news/item/Exim-mail-servers-susceptible-to-DKIM-attacks-1737670.html

29. October 25, Softpedia – (International) Scam alert: US Customs and Border Protection Service Department package delivery. Scammers started sending out emails entitled “US Customs and Border Protection Service Department” to trick recipients into thinking they received a package from overseas. “We write to inform you that your package with reference number 2661428 has been in Customs facility custody waiting for resolutions of the clearance to further the delivery to your delivery address by the delivery Agent who came all the way from Africa,” the scam emails read. “We have been waiting for you to contact us regarding your consignment box which the agent suppose to deliver to you which was on hold by USA Customs Department and they are requesting for clearance certificate....” The scammers are attempting to convince victims to send back their personal details, including name, contact information, and passport or ID card number. Source: http://news.softpedia.com/news/Scam-Alert-US-Customs-and-Border-Protection-Service-Department-Package-Delivery-302159.shtml

30. October 25, ZDNet – (International) Google, Yahoo and Microsoft fix email security flaw. Google, Yahoo, and Microsoft all fixed a vulnerability in their email-signing mechanisms that made it possible for people to spoof messages coming from their systems. The problem was that they were using keys of less than 1,024 bits in length in their implementations of the DomainKeys Identified Mail (DKIM) mechanism. Some consider even 1,024-bit RSA keys as being too easy to crack, but shorter keys are definitely too insecure for serious use currently, as the computational power available in the cloud makes it relatively easy to crack them by brute force. According to a U.S. Computer Emergency Readiness Team (US-CERT) note released October 24, Google, Microsoft, and Yahoo were all using RSA signing keys that were too-short, and all three vendors have now fixed the problem after being notified. Source: http://www.zdnet.com/google-yahoo-and-microsoft-fix-email-security-flaw-7000006379/

31. October 25, Ars Technica – (International) Backdoor in computer controls opens critical infrastructure to hackers. Software used to manage equipment in power plants, military environments, and nautical ships contain an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorization. The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands, a researcher with security firm ioActive, told Ars Technica. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering. Of the two specific programmable logic controllers (PLCs) the researcher tested, both allowed him to issue commands that halted the devices’ process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks. He declined to identify the specific models he tested except to say that one ran the Linux operating system on Intel-compatible processors and the other used Microsoft’s Windows CE running on ARM chips. He said a quick search using the Shodan computer location service showed 117 devices directly connected to the Internet, but he suspects more detailed queries could reveal many more. A blog post that contains additional vulnerability details said code that automates the exploit is expected to be added to the Metasploit software framework used by hackers and security professionals. Source: http://arstechnica.com/security/2012/10/backdoor-in-computer-controls-opens-critical-infrastructure-to-hackers/

Communications Sector

Nothing to report.

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.