Department of Homeland Security Daily Open Source Infrastructure Report

Friday, February 19, 2010

Complete DHS Daily Report for February 19, 2010

Daily Report

Top Stories

 MSNBC reports that a man upset with the Internal Revenue Service set fire to his home, got into his small plane, and crashed it Thursday into a multistory office building in Austin, Texas that houses federal tax employees. At least two people were injured and a third person was unaccounted for. (See item 30)

30. February 18, MSNBC – (Texas) Man crashes plane into Texas office building. A man upset with the Internal Revenue Service set fire to his home, got into his small plane and crashed it Thursday into a multistory office building that houses federal tax employees, authorities said. At least two people were injured in the crash and a third person who worked in the building was unaccounted for, fire officials said. The crash caused a fire that sent black smoke billowing from the seven-story Echelon Building. Federal law enforcement officials said they were investigating whether the pilot crashed on purpose in an effort to blow up IRS offices. About 190 IRS employees work in the building, and an IRS spokesman the agency was trying to account for all of its workers. The pilot, listed in FAA and property records, apparently had a long-running dispute with the IRS. The IRS, CIA and FBI all have offices in the complex where the building that was struck is located, though it was not clear if they are all in the building that was hit. Source:

 The Washington Post reports that more than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm. The intrusion, dubbed the Kneber bot, began in late 2008 and was discovered January 26. (See item 40 in the Information Technology Sector below)


Banking and Finance Sector

10. February 18, Florida Times-Union – (National) Compass Bank network hit by electrical outage. An early morning power outage shut down the network for BBVA Compass bank, taking its ATM network, Web site, call center and telephones offline, but a company spokesman said the bank would be back online soon. Compass Bank has 724 branches in seven states, but because Jacksonville, Florida, is furthest east, it was affected most by the outage, which happened at 7 a.m. Eastern time, said the Compass director of external communication. By 9 a.m. the bank’s primary system was back online, but other equipment has taken some time to get back online, he said. As of 10:45, some 90 percent of the bank’s ATMs was back online, the call center was taking calls again and branches in central and eastern states were open. There was never any security threat to the bank’s data during the outage, the director said. Source:

11. February 18, Southeast Missourian – (Missouri) Montgomery Bank warns of phishing scam. Montgomery Bank is warning residents of a phishing scam involving the bank’s name. The scam involves sending an automated telephone message to mobile phones stating there is a problem with the consumer’s debit or credit card and requests that the consumer respond by calling a telephone number and leaving a message with debit/credit card number, PIN, Social Security number, account number, and other information that can be used to make fraudulent transactions on the consumer’s account. Montgomery Bank is not generating these calls. Source:

12. February 17, – (International) Paymate experiences DDoS attack, no risk to customer data. Online payment service Paymate is down due to a DDoS (distributed denial-of-service) attack. The company’s Vice President of Sales and Marketing told AuctionBytes the site has been down since early February 16, and at no time during the disruption has any user data or information of any kind been at risk. Paymate is an accepted payment method on eBay, and the company said it was working diligently with eBay and its customer service teams to provide updates and ensure proper information was being delivered. In a statement on February 14, Paymate said it was unclear who launched this week’s attack against it and what their motives might have been. According to the statement, “The company expects the DOS issue will be resolved quickly and that it will soon be back to providing its customers the fast, safe, and reliable experience they’ve come to expect from Paymate.” Paymate is keeping users updated through posts on its Twitter account. Source:

13. February 17, Courthouse News Service – (California) Long Beach man admits to $33M Ponzi scam. A Long Beach man pleaded guilty to defrauding more than 50 investors out of $33 million in a real estate Ponzi scheme, the U.S. Attorney’s Office announced on February 17. The 33 year old pleaded guilty on February 16 to federal wire fraud for promising high returns on real estate investments that turned out to be a Ponzi scam, federal prosecutors said. From late 2003 through August 2006, he had investors pump their savings into his El Segundo-based venture that operated under a variety of names, including J.W. James and Associates and The Cloaking Device, according to prosecutors. Instead of investing the money in real estate, the defendant used it to pay off other investors and cover personal expenses, including paying for his wedding and investing in a recording studio and production company called On the Ball Entertainment, prosecutors said. Source:

14. February 17, KPTV 12 Portland – (Oregon) Suspicious bag deemed safe at Woodburn bank. A state police bomb squad was called to investigate a suspicious bag on February 17 outside a Woodburn bank where a bomb blast killed two officers in 2008. Police used a robot to determine the bag did not hold any dangerous material. A school bus driver spotted the bag on the sidewalk outside the West Coast Bank on early on February 17, a police spokesman said. The driver called police and Woodburn officers asked for the Oregon State Police Bomb Squad to investigate. Police temporarily closed the highway in both directions at Oregon Way just east of Interstate 5. Source:

15. February 17, Associated Press – (National) Flashy Va. businessman accused of millions in bank fraud caught in Texas after months missing. A Lamborghini-driving steakhouse owner who disappeared after being accused of cheating banks out of tens of millions of dollars was arrested in Texas and returned to Virginia as federal prosecutors pursue fraud charges. The defendant is accused of fraudulently securing nearly $18 million in loans from one bank by offering up phony life insurance policies as collateral. He was thought to have fled the country in May, but court documents show he was arrested in the Austin, Texas, area on or before February 1 and U.S. Marshals say he has been in custody in Alexandria since last week. The allegations spelled out in a federal court affidavit could be only the beginning against the flashy businessman, who owned several exotic sports cars and collected traffic tickets while driving them. In bankruptcy court, creditors spelled out more than $60 million claims against him, mostly from banks. Source:,0,2780544.story

16. February 16, Chicago Sun Times – (Illinois) FBI: Same man robbed five banks. The Federal Bureau of Investigation said on February 16 it believes the same man has robbed at least five Chicago-area banks in the past few weeks. The latest robbery happened on the afternoon of February 15 at a Near West Side TCF Bank, located inside a Jewel-Osco store. The man entered the bank, pulled a semi-automatic gun from his waist, and got away with some cash. No one was injured, but the FBI says the man should be considered “armed and dangerous.” The same man is wanted in four other recent robberies, including TCF Bank branches in River Forest on February 14 and in Darien on February 11, according to a release from the FBI. He is also suspected of robbing a U.S. Bank branch in Bolingbrook on January 27 and another U.S. bank branch in Bolingbrook on January 15, the release said. Source:

Information Technology

40. February 18, Washington Post – (International) More than 75,000 computer systems hacked in one of largest cyber attacks, security firm says. More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm. The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness. This latest attack does not appear to be linked to the Google intrusion, said NetWitness’s chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia. The attack also highlights the inability of the private sector — including industries that would be expected to employ the most sophisticated cyber defenses — to protect itself. The intrusion, first reported on the Wall Street Journal’s Web site, was detected January 26 by a NetWitness engineer. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide. The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, the chief executive said. The malicious software, or “bots,” enabled the attackers to commandeer users’ computers, scrape them for log-in credentials and passwords — including to online banking and social networking sites — and then exploit that data to hack into the systems of other users, the chief executive said. The number of penetrated systems grew exponentially, he said. Source:

41. February 18, SC Magazine – (International) Public sector targeted by spam emails that contain Bredolab malware. Targeted email attacks against public sector companies have been prevalent this week with Bredolab malware being used as the payload. The malware operations engineer at Symantec Hosted Services, claimed that attacks began on February 16, but what was interesting was the payload rather than the specific attack. The engineer explained that Bredolab is usually spammed out in vast quantities using the Cutwail botnet, and uses many techniques to trick people into running the executable. Once the executable is opened, another file is dropped on to the computer and the local firewall is turned off. Furthermore, other malicious files may also be installed by the controllers of Bredolab, who may also be selling or renting the control of that computer for malicious use by other cyber criminals. As Bredolab is so flexible, it may conceivably be used to perform any task that its controllers wish. What made this attack so significant, said the engineer, were several factors. He said: “Firstly, it is targeted to very specific recipients, and it was not being spammed indiscriminately in large volumes. Secondly, the malicious file in the email is indeed a variant of the Bredolab virus; it has exactly the same characteristics, except that the files it subsequently downloads are not the usual Bredolab fare. They are, in fact, data stealers, and very few anti-virus companies identified the downloaded files at the time of writing.” Source:

42. February 18, Erictric – (International) Mobile Hotmail users taken to incorrect inbox. Smartphone users are complaining about a glitch that is causing them to be logged into a Hotmail inbox that is not their own. The event may coincide with a service outage which occurred on February 16, but the company behind Hotmail, Microsoft, states they have commenced and investigation in a formal statement: “Microsoft takes customers’ privacy seriously, and immediately upon learning of these reports, we started an investigation. We will take appropriate action once we have completed the investigation.” Not long ago, users on AT&T’s network reported similar issues, but instead of email, the users were logged into the wrong Facebook account. Source:

43. February 17, The Register – (International) Undead botnets blamed for big rise in email malware. Malicious spam volumes increased dramatically in the back half of 2009, reaching three billion messages per day, compared to 600 million messages per day in the first half of 2009. But this is still a tiny fraction of the estimated global spam volume, thought to be about 200 billion messages per day. A new report by net security firm M86 Security points the finger of blame for the torrent of malware, phishing and other scams (collectively defined as malicious spam) and junk mail more generally towards botnet networks of compromised machines. It reckons five botnets were responsible for 78 percent of the malicious spam it fought in the second half of 2009. M86 reports that the major spam botnets such as Rustock, Pushdo (or Cutwail) and Mega-D continue to dominate spam output, supported by second-tier botnets such as Grum, and Lethic. Rustock alone pushed out 34 percent of spam in 2H09. Pushdo zombie drones puked out one in five spam messages (20 per cent), with Mega-D zombies account for 9 percent of the global junk mail nuisance. This survey rates the infamous ZeuS spyware agent as the greatest menace to corporate security, with the Koobface worm, which spreads via messages on social networks, a close second. Source:

44. February 17, Homeland Security Newswire – (National) New group calls for holding vendors liable for buggy software. A loose consortium of security experts from more than thirty organizations called on enterprises to exert more pressure on their software vendors to ensure that they use secure code development practices. The group, led by the SANS Institute and Mitre Corp., is slated to release later draft language for use in procurement contracts between user organizations and software development firms. A writer for Computerworld writes that the document provides user companies with a list of specific terms and conditions that should be included in procurement contracts to ensure that vendors are adhering to a strict set of software development security standards. In sum, the draft contract would leave development firms liable for software defects. Source:

45. February 17, Information Week – (National) Cyberattack drill shows U.S. unprepared. Imagine what would happen if a massive cyberattack hit the U.S., crippling mobile phones and overwhelming both telephone infrastructure and the electricity grid. “Cyber Shockwave,” conceived and executed by the Bipartisan Policy Center along with experts in cybersecurity, simulated such an attack on February 16 — and discovered that the U.S. is ill-prepared to handle a large scale cyberattack. They did not fare especially well, the vice president of communications for 7the Bipartisan Policy Center said in an interview on February 17. The Bipartisan Policy Center is a nonprofit think tank that reaches across party lines to come up with solutions to policy issues. Cyber Shockwave posed two scenarios. In the first, a March Madness mobile application spread malware from cell phone to cell phone. In the second, the U.S. electricity grid crashed for reasons not immediately known. In the scenario of the power grid collapse, a lack of information about the origin of the event — whether it was the result of a cyberattack or of a technical failure” also hampered officials’ ability to handle the situation. The experience was apparently eye-opening, and officials already may be taking heed. The U.S. Senate Committee on Commerce, Science, and Transportation has scheduled a hearing the week of February 22 to discuss the next steps to protect critical infrastructure from attacks like the one simulated. Source:

46. February 17, DarkReading – (International) The top 10 enterprise botnets. Four little-known botnets were behind half of all botnet infiltrations in enterprises last year — and the No. 1 botnet hitting corporate networks carried the infamous Zeus crimeware. Damballa, which provides anti-botnet services for enterprises, today revealed the Top 10 botnets it found in its customers’ networks in 2009; the so-called ZeusBotnet accounted for nearly 20 percent of all bot infections, while the KoobfaceBotnetB botnet accounted for 15 percent. Koobface overall had a surprisingly large representation. The worm, typically spread via social networks such as Facebook and MySpace, was the main malware carried by two additional botnets, Koobface.D (5 percent) and Koobface.C (4 percent). The malware was used as a foot in the door to hijack corporate users’ accounts and to spread among other systems within the organization, according to the vice president of research for Damballa. Koobface also was the most common type of malware family used by all botnets to infect enterprises, with Zeus a close second, according to Ollmann. Meanwhile, a click-fraud botnet known as ClickFraudBotnet was behind 9 percent of enterprise botnet infections, followed by SpamFraudBotnet with 8 percent, both of which staked out the enterprise machines to do their bidding for financial gain, rather than for stealing anything from the victim organizations. Behind ZuesBotnet, KoobfaceBotnetB, ClickfraudBotnet, and SpamfraudBotnet on the Top 10 list were MonkifBotnetA (8 percent), KoobfaceBotnetD (5 percent), TidservBotnet (5 percent), MonkifBotnetB (4 percent), KoobfaceBotnetC (4 percent), and ConfickerBotnetA (4 percent). Source:

47. February 17, Agence France-Presse – (International) Group claims responsibility for giant Latvian tax hack. An unknown group of hackers said on February 17 they had illegally downloaded millions of Latvian tax documents to show that Riga’s attempts to fight the economic crisis were not working. “The purpose of the group is to unmask those who gutted the country,” an alleged hacker using the alias “Neo,” told producers of the Latvian current affairs talk show Kas Notiek Latvija in an interview on the show’s website. The hacker alleged that over a period of three months, his group used a security loophole to download over 7.5 million documents from the State Revenue Service’s (SRS) web site. He said the documents, including VAT receipts and income tax declarations, showed that reforms launched to deal with Latvia’s severe economic crisis have not been working. Source:

48. February 16, Computerworld – (International) Rogue PDFs account for 80% of all exploits, says researcher. Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, a security firm announced that by its counting, malicious Reader documents made up 80% of all exploits at the end of 2009. According to ScanSafe of San Bruno, California, vulnerabilities in Adobe’s Reader and Acrobat applications were the most frequently targeted of any software during 2009, with hackers’ PDF exploits growing throughout the year. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. “PDF exploits are usually the first ones attempted by attackers,” said a ScanSafe senior security researcher, referring to the multi-exploit hammering that hackers typically give visitors to malicious Web sites. “Attackers are choosing PDFs for a reason. It’s not random. They’re establishing a preference for Reader exploits.” Source:

Communications Sector

49. February 18, Data Center Knowledge – (Nebraska) Yahoo opens new Nebraska data center. Yahoo has opened its new data center in La Vista, Nebraska. The 180,000 square foot facility near Omaha will hold about 100,000 servers, employ around 50 people and will become the largest Yahoo data center when expansions are completed. Yahoo began the 17-state location process that led them to Nebraska in early 2008. Similar to other Midwest deals that were negotiated earlier with Google in Council Bluffs, Iowa and Microsoft in West Des Moines, Yahoo selected Nebraska for state tax incentives, low energy costs and a quality workforce. The announced $100 million deal included the La Vista data center and a customer care center in Omaha, with a combined 200 jobs created. Source:

For another story, see item 45 above in the Information Technology Sector