Department of Homeland Security Daily Open Source Infrastructure Report

Monday, April 26, 2010

Complete DHS Daily Report for April 26, 2010

Daily Report

Top Stories

 According to the Associated Press, Carnival Cruise Lines says 60 people were hurt on April 21 when one of its vessels listed during a maneuver to avoid a partially submerged buoy that was adrift near Mexico’s Yucatan Peninsula. The U.S. Coast Guard has been notified about the wayward buoy. (See item 27)

27. April 22, Associated Press – (International) Carnival cruise ship lists, 60 passengers hurt. A cruise ship operator says dozens of people were hurt when one of its vessels listed during a maneuver to avoid a partially submerged buoy that was adrift near Mexico’s Yucatan Peninsula. Carnival Cruise Lines says the ship, Carnival Ecstasy, had to make a sharp turn to avoid the buoy Wednesday afternoon. A Carnival spokeswoman says 60 guests and one crew member suffered minor injuries and that some unsecured objects aboard the ship were damaged. She says no one required treatment at a hospital. Miami-based Carnival said the ship safely docked Thursday at its home port in Galveston, Texas. The U.S. Coast Guard has been notified about the wayward buoy. The ship was carrying about 2,340 passengers and 900 crew members. Source:

 According to Reuters, a potentially deadly strain of fungus is spreading among animals and people in the northwestern United States and the Canadian province of British Columbia, researchers reported on April 22 in a study published in the journal PLoS Pathogens. Climate change may be helping it spread, the researchers said. (See item 46)

46. April 22, Reuters – (International) Potentially deadly fungus spreading in US, Canada. A potentially deadly strain of fungus is spreading among animals and people in the northwestern United States and the Canadian province of British Columbia, researchers reported Thursday. The airborne fungus, called Cryptococcus gattii, usually only infects transplant and AIDS patients and people with otherwise compromised immune systems, but the new strain is genetically different, the researchers said in the study, published in the Public Library of Science journal PLoS Pathogens. “This novel fungus is worrisome because it appears to be a threat to otherwise healthy people,” said the Duke University researcher who led the study. The new strain appears to be unusually deadly, with a mortality rate of about 25 percent among the 21 U.S. cases analyzed, they said. The spore-forming fungus can cause symptoms in people and animals two weeks or more after exposure. They include a cough that lasts for weeks, sharp chest pain, shortness of breath, headache, fever, nighttime sweats and weight loss. It has also turned up in cats, dogs, an alpaca and a sheep. Freezing can kill the fungus and climate change may be helping it spread, the researchers said. Source:


Banking and Finance Sector

16. April 23, Insurance and Financial Advisor – (National) Calif. man indicted for attempted cyber-extortion of New York Life. A Chino, California, man was indicted in federal court after he allegedly sent threatening e-mails and used a Web site as a means to damage the reputation of insurer New York Life, costing the firm millions. The 52-year-old suspect is charged with one count of extortion through interstate communications, according to the U.S. Attorney’s Office for the Southern District of New York. If convicted, the suspect could face up to two years in federal prison and a maximum fine of $250,000 or twice the amount of loss his crime committed, officials said. Federal authorities claim that in a series of e-mails and through a Web site, the suspect threatened to make false public statements and transmit millions of spam e-mails in an effort to hurt New York Life. In January, he attempted to have his insurance premiums returned after he purchased a variable universal life policy and was dissatisfied with the performance of the product. In February, he sent an e-mail to more than a dozen New York Life employees, executives and one of the insurers’ board of directors directing them to his Web site and stating “I HIGHLY suggest you visit [the site] and contact me afterwards.” The site featured text spelling out the suspect’s demands and his threats to send 6 million spam e-mails and use his knowledge of social media to “slam” the insurers integrity and “drag your company name and reputation through the muddiest waters imaginable.” The suspect further stated, that if New York Life did not meet his demands by March 10, the company would have to pay him $3 million. On February 24, he sent an e-mail to several employees at the company informing them the “[c]lock is ticking.” Source:

17. April 23, Washington Post – (National) Debt-settlement firms misled consumers, GAO report says. A government investigation into the burgeoning, debt-settlement industry has found that many firms misled consumers by claiming to be affiliated with federal stimulus programs, and exaggerating their ability to reduce consumers’ loans. Presented on April 22 at a Senate Commerce Committee hearing, the Government Accountability Office report included audio recordings of salesmen describing their companies as “government approved” and linking settlements to the federal bailout of troubled banks. Another sales recording stated that all customers eliminated their debt in three years, while others encouraged customers to stop paying their creditors — a practice that violates the industry’s own standards. “It is appalling beyond words,” the senator who heads the committee said at the hearing. “These debt-settlement companies are kicking people when they are down.” The number of debt-settlement companies has ballooned to more than 1,000 during the past five years, after changes to the federal bankruptcy law made it more difficult for consumers to qualify for bankruptcy and as the recession ravaged household budgets. The companies promise to negotiate with a customer’s creditors to reduce the principal, rather than just interest and fees, as many credit-counseling firms do. But consumer advocacy groups have attacked the industry for charging hefty, up-front fees before calls to creditors are made. In addition, the consumer advocates have accused debt-settlement firms of misleading consumers in sales pitches and instructing them not to pay bills. Source:

18. April 23, Roanoke Times – (Virginia) Blacksburg’s National Bank hit by phishing scam. The National Bank of Blacksburg, Virginia, has been the target of several phishing attacks that attempt to obtain confidential customer information, bank officials said April 22. Fraudulent e-mails, phone calls and text messages using the bank’s name, logo and Web site are being sent to some southwest Virginia residents. Phishing is a scam used to gain an individual’s personal information through the use of fraudulent messages that appear to come from legitimate businesses. The bank’s legal counsel said the bank’s computer system has not been compromised. “We did not provide this information to anyone.” She said bank officials started receiving reports about the fraudulent messages about a week ago. The messages asked for confidential information, such as credit-card and bank-account numbers and passwords. People who are not bank customers have also been affected. There are no estimates available now on how many people have received the fake messages, officials said. Source:

19. April 22, WTNH 8 New Haven – (Connecticut; New York) Police make arrest in skimming scheme. Three, upstate New York women were caught while allegedly trying to steal money in a high-tech ATM scam in Darien, Connecticut. Over the last several weeks, a Greenwich (Connecticut) Police Department task force has been investigating the scam where thieves steal customers ATM numbers and pin-number information in an attempt to withdraw money. A break in the case came at the People’s Bank branch at the Goodwives Shopping Center in Darien. Around 8:30 a.m. April 22, police arrested three women attempting to use an ATM machine to make fraudulent transactions. When asked how the suspects were caught, police said their investigation led them to a specific site. “There have been several incidents that have been reported to the towns of Stamford, Darien and Greenwich over the past couple of weeks,” said a Greenwich Police lieutenant. “Officers from the task force have been conducting an investigation and this morning, it led them to Darien.” The suspects are accused of ‘skimming.’ The scam involved the placement of an electronic device on or near an ATM that captures personal banking information. Each of the suspects is being held in Greenwich on a $250,000 bond. Investigators said that there may be future arrests in the case. Source:

20. April 22, Cross Timbers Gazette – (Texas) Bank phishing scam strikes again. Once again, a phishing scam is targeting Texas consumers in an effort to obtain their 16-digit debit card numbers and make unauthorized ATM withdrawals. “Consumers from all local banks are being contacted”, said the president of POINTBank, “it doesn’t matter who you bank with, you should be on high alert. Contrary to some reports, these scammers do not distinguish between banks, they simply pick an area code and start dialing every number, they then move to another area code.” According to the president of POINTBank, an automated voice delivers a myriad of messages which all end in asking the customer to “press 1” to speak to someone regarding the issue or offer. When the customer presses 1, he is asked for his 16-digit card number and the pin number associated with the account. The scammer then uses that information to make unauthorized ATM withdrawals. The POINTBank president wants consumers to know that, “banks keep customer information confidential at all times and do not ask customers for debit card numbers and personal identification numbers over the phone. We ask that similarly, our customers never give their information out over the phone, and if in doubt, contact their personal banker to further inquire about the issue.” Source:

21. April 22, DarkReading – (National) Pair of fines levied on breached companies show real costs of database hacks. Two different companies in the past two weeks were fined by regulatory agencies for separate database breaches, totaling well over $1 million. The first incident was an insider breach initiated by a former database administrator (DBA) at Certegy, a wholly owned subsidiary of Jacksonville, Florida-based Fidelity National Information Services (FIS), which cost the company $975,000 in fines to the Florida Attorney General. The second event was an external attack precipitated by a SQL injection exploit against a customer database owned by brokerage firm Davidson & Co., for which the Financial Industry Regulatory Authority (FINRA) fined the firm $375,000. “In one case it was hackers, and in another case it was an internal employee — a DBA — but in both incidents, the issue was that they didn’t have any real-time monitoring in place. That’s how these two stories are related,” said the vice president of security strategy of Guardium, an IBM company. “What a SQL injection attack [does] is give the attacker privileged user credentials. So if you’re monitoring your privileged users like your DBAs, you’re also getting the bonus of monitoring for external threats at the same time.” The more extreme case among the two fined companies was Certegy’s breach, which showed how database breach costs can really rack up for a company. In this incident, a malicious insider at the company exposed about 5.9 million customer records. The $850,000 fine levied by Florida to pay its investigative costs and attorney fees, and the additional $125,000 demanded to help fund a state-wide, crime-prevention program, are just a tip of the breach cost iceberg for Certegy. Source:

22. April 22, Deseret News – (California; Utah) Five charged in $59-million investment scheme. Criminal charges have been filed against five Utah men accused of bilking investors — believed to be primarily from Utah County — out of as much as $59 million. The suspects, with residences in Utah and California, are facing charges ranging from securities fraud, pattern of unlawful activity, unregistered securities agent, pattern of unlawful activity and money laundering, all second- and third-degree felonies. Starting in October 2009, a fourth district court judge ordered that assets belonging to two of the suspects be frozen, an order which the deputy Utah county attorney said has never been done before in Utah County. According to an affidavit filed by investigators on September 30, 2009, one of the suspects set up Evolution Development in June 2007 to solicit funds for the investment arm of Money & More, a payday lending company with several branches in southern California. A second suspect is the founder and president of Money & More. Investigators believe three of the suspects offered 10-percent monthly returns to middlemen such as a foorth suspect, who allegedly recruited more “downline” investors. They ultimately gathered an estimated $59 million from their alleged victims. All payouts stopped in November 2008, leading to lawsuits and the investigation. Source:

Information Technology

56. April 23, The Register – (International) Koobface server pops up in China after HK takedown. Security experts in Hong Kong recently succeeded in taking down a key component of the Koobface botnet, only to witness the system popping up in China. The Koobface FTP grabber component uploaded stolen FTP user names and passwords to the remote server, which was under the control of cybercrooks. These stolen log-in credentials gave a pass into corporate networks and valuable data before the server was taken down last week, largely thanks to the efforts of the Hong Kong Computer Emergency Response Team Coordination Centre. In response, the Koobface gang moved their server to a hosting firm in China. Last month, the command and control servers associated with Koobface underwent a complete refresh. Koobface spread via messages on social networking sites like Facebook and Twitter. Cybercrooks behind the sophisticated malware make their money by distributing scareware packages onto compromised machines, and by other cyberscams, including information harvesting. The worm gets less press than the malware associated with the Google China attacks or the high-profile Conficker worm, though experts consider it both more sophisticated and a bigger security threat. Source:

57. April 23, Help Net Security – (International) Fake fast food survey with cash reward leads to phishing site. Scammers often use the familiarity of a brand as a means of lessening the victims’ tendency to be cautious when perusing unsolicited e-mails. In this latest e-mail scam, this method is coupled with the offer of $80 to whomever takes a short survey. The e-mail supposedly comes from a globally well-known fast food chain, and claims that the company is planning major changes to the establishments in order to improve the quality of service. In order to do so, they are asking the customers to fill out a survey and they offer the cash as an incentive. Symantec reports that to access the survey, the victims are encouraged to follow the link in the e-mail, which will then take them to a bogus page ostensibly belonging to the company. After the survey is completed, the victims are redirected to a fake user-authentication page where they are asked to enter their name, e-mail address, credit card number, expiration date, verification number and personal identification number, in order to get the money. but the survey is fake, and the page is a phishing page. Source:

58. April 22, IDG News Service – (International) 1.5 million stolen Facebook IDs up for sale. A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices. Researchers at VeriSign’s iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts. IDefense does not know if Kirllos’ accounts are legitimate, and Facebook did not respond to messages April 22 seeking comment. If the accounts are legitimate, the hacker has data on about one in every 300 Facebook users. His asking price varies from $25 to $45 per 1,000 accounts, depending on the number of contacts each user has. To date, Kirllos seems to have sold close to 700,000 accounts, according to the VeriSign director of cyber intelligence. Hackers have been selling stolen social-networking credentials for a while — VeriSign has seen a brisk trade in names and passwords for Russia’s VKontakte, for example. But now the trend is to go after global targets such as Facebook, the director said. Source:

59. April 22, DarkReading – (International) Crippling McAfee virus update could have long-term fallout. As organizations worldwide scramble to restore their Windows XP S3 machines from crashes or repeated reboots due to a faulty virus definition update issued by McAfee Thursday, some security experts worry that additional machines could be affected weeks or months from now. McAfee has apologized publicly for pushing the defective 5958 virus definition file, which caused some Windows XP Service Pack 3 systems to crash or continuously reboot; the company said less than 1 percent of its enterprise customers were affected. The faulty update, which passed McAfee’s quality assurance testing process, generated a “false positive,” the company said, incorrectly detecting and quarantining XP S3’s svchost.exe as a virus. According to a FAQ issued to McAfee corporate customers today, the company did not include XP SP3 with VSE 8.7 in its testing, resulting in “inadequate coverage of Product and Operating System combinations in the test systems used.” The faulty AV update was removed from McAfee’s download servers, and a new version has been released. But there are still plenty of unanswered questions about the error — what exactly went wrong in McAfee’s quality assurance testing process, why McAfee was not testing sufficiently for the pervasive XP SP3 configuration, and what happens to XP SP3 machines that have not yet been affected by the bad update, but could be later. “It could have been anything from sabotage to just carelessness,” said a security expert. “What scares me a little is haven’t they tried this in a test environment before launching? And if they did, they have a serious problem on how they test their products.” Organizations that do not apply the replacement DAT file McAfee issued could end up suffering crashes and repeated reboots. “Those customers should exclude svchost.exe from being scanned until they can apply the appropriate McAfee DAT file, which is now available,” the CTO at BigFix and the former director of engineering at McAfee who helped develop the AV company’s DAT testing process said. Source:

60. April 22, – (International) Cyber criminals quick to pounce on McAfee crash story. Security experts are warning users searching for information on the breaking McAfee systems-crash story to beware of malicious links in search results that could contain scareware. Security giant McAfee caused widespread concern among users after it revealed that a problem with its anti-virus product caused some Windows XP systems to crash. However, cyber criminals have been first to react to the incident, by using blackhat search engine optimization techniques to ensure that their malicious Web pages are returned first in a search for information on the incident. Many of these will infect the user with malicious software designed to trick them into thinking they are infected and then paying a fee for ‘anti-virus software’ to alleviate the problem. “These poisoned pages are appearing on the very first page of search engine results, making it likely that many will click on them,” said the senior technology consultant at Sophos. A senior security advisor at Trend Micro, said that he is not surprised that the news had been hijacked by cyber criminals. Source:

Communications Sector

61. April 23, WSAZ 3 Huntington/Charleston – (West Virginia) Attempted copper theft at Verizon building, three arrested. Three Kanawha County, West Virginia, men have been charged with breaking and entering, after allegedly breaking into a Verizon building to steal copper. The Kanawha County Sheriff’s Department arrested the three men Friday just outside of Charleston. A sheriff spokesperson said the three men admitted to planning to steal copper from the Verizon phone site. All three also said they knew that they did not have permission to be there and they knew that stealing copper was wrong. Source:

62. April 22, Government Computer News – (National) FCC seeks information on survivability and security of nation’s broadband nets. The Federal Communications Commission (FCC) is taking the first steps toward a proposed, voluntary security-certification program for service providers and a study of the survivability of the nation’s broadband infrastructure, both of which were recommended in the National Broadband Plan. The commission April 22 approved notices of inquiry seeking comment on each of these programs. “As network attacks and the level of risks increase, it is beyond important that we fully understand the implications of this evolution in communications and that we take all necessary and appropriate steps to ensure the survivability of our voice and broadband communications networks,” the FCC chairman said in announcing the inquiries. The FCC has not proposed any rules on broadband security and the inquiries do not involve proposals for mandatory programs. The goal is to encourage better security practices and provide consumers with more information about the security status of service providers. Source: