Department of Homeland Security Daily Open Source Infrastructure Report

Monday, May 17, 2010

Complete DHS Daily Report for May 17, 2010

Daily Report

Top Stories

 According to DarkReading, a targeted malware attack aimed at human resources departments and hiring managers in the United States and Europe sent 250,000 e-mails during a four-hour period May 12. Researchers at Websense Security Labs discovered the attack, which included the subject line “New resume.” (See item 52 below in the Information Technology Sector)

 The Peoria Journal Star reports that heavy rains in Fulton County, Illinois caused one levee to break May 13, and London Mills residents were being cautioned about the rising Spoon River. (See item 64)

64. May 13, Peoria Journal Star – (Illinois) Heavy rain swells Spoon River. Heavy rains in Fulton County, Illinois, caused one levee to break May 13, and London Mills residents are being cautioned about the rising Spoon River. The levee breach north of Illinois Route 9 was repaired later in the day, according to the Fulton County Emergency Service Disaster Agency director, but the Spoon River was steadily rising. A flood warning for the Spoon River was issued Thursday by the National Weather Service (NWS). According to NWS, flood stage for the Spoon River at London Mills is 15 feet. At 7:45 p.m., the river was at 18.59 feet and was expected to crest at 22.9 feet at about 8 p.m. Friday. Three rural roads had been closed for a distance of a mile or so and will remain closed until at least Friday morning. Source:


Banking and Finance Sector

13. May 14, Indo-Asian News Service – (International) Explosions rock Bangkok’s financial district. Six explosions rocked the Bangkok, Thailand financial district May 14, as troops and protesters clashed to control the heart of the capital. Unknown assailants fired M79 grenades at soldiers stationed at the Saladaeng skytrain station on Silom Road, the main financial district and a popular entertainment area, Thai media reports said. Residents in the neighborhood said they heard six explosions. Two people were wounded, according to The Nation newspaper’s Web site. The grenade attacks coincided with a military offensive against anti-government protesters who have blockaded themselves in an area around Ratchaprasong Road, a posh commercial district, just north of Silom. At least one demonstrator was killed May 14, and eight protesters and two journalists were hurt in the latest unrest, which took place after the Thai government launched an offensive the night before to drive thousands of followers of the United Front for Democracy Against Dictatorship (UDD) from Ratchaprasong. Source:

14. May 14, Associated Press – (International) Underground broker network a bane in terror probes. Long before there was MoneyGram and Western Union, people in South Asian countries often used an informal network of brokers, called an “hawala,” to transfer money over long distances when it was too inconvenient or dangerous to send cash by courier. Today, the centuries-old system still exists and is used to move billions of dollars annually in and out of countries like Pakistan, Afghanistan, and Somalia — often to the chagrin of U.S. law enforcement. A federal law enforcement official told The Associated Press that a terror suspect is believed to have tapped into such a network to help fund a plot to detonate a car bomb in Times Square May 1. The official spoke on condition of anonymity because the investigation is ongoing. Authorities said three Pakistani men — two in the Boston area and one in Maine — supplied funds to the suspect but may not have known how the money would be spent. The three have been arrested on immigration violations. While most money transfers made through these hawaladars, or brokers, are benign, the system is also routinely used by drug smugglers, terrorists, and other criminals who want to move money without leaving a paper trail. Source:

15. May 14, Hartford Courant – (National) Feds close in on network of high-tech ATM thieves. A federal task force continued to close in May 13 on a high-tech network of Romanian thieves who are using electronic spyware to loot the accounts of ATM customers at banks in Connecticut and elsewhere in the Northeast. Federal prosecutors disclosed that they have indicted four more Romanian nationals in the scheme, which has resulted in hundreds of thousands of dollars in losses. The task force of federal, state and local police agencies charged another two suspects one year ago, and it is continuing to hunt for other suspects. All those charged so far in the scheme are accused of installing what are known as skimming devices on ATM machines and on card-activated door locks that banks use to control access to the machines. In addition, the suspects in the scheme are accused of installing pinhole cameras on ATM machines. Banks, which credit customer accounts for fraudulent withdrawals, are the ultimate victims of the scheme, according to federal prosecutors. A U.S. Attorney said May 13 that the four Romanian nationals named in the indictment emptied accounts in Connecticut, New York and Pennsylvania. The four are being held without bail, authorities said. Source:,0,757871.story

16. May 14, MetroWest Daily News – (Massachusetts) Suspicious package in Natick is cooler. A suspicious package found in a parking garage beneath a Summer Street building in Natick, Massachusetts, May 13 turned out to be a cooler containing two ice packs, police said. The Middlesex Savings Bank’s Operations Center at 37 Summer Street was evacuated after an employee discovered the package in an underground parking lot at 8:37 a.m., a police spokesman said. Police also blocked off portions of Summer Street as a precaution. The police and fire departments went to the building. The spokesman said he and another police lieutenant went into the parking garage and found the package, a Styrofoam cooler with the top taped down. Because there had been no threats and no reports of disgruntled employees, the two officers decided to open the lid and discovered two spent ice packs. Source:

17. May 13, DarkReading – (International) Authorities arrest first suspect in massive identity-theft ring. Indian police said May 12 that they have detained a Ukranian man charged in the U.S. with stealing some 40 million credit and debit card numbers. The suspect was detained after he landed in New Delhi on a domestic flight from the southwestern holiday state of Goa May 10, a police spokesman said. He is one of 11 people wanted by the U.S. Justice Department in “the largest hacking and identity theft case ever prosecuted,” which was filed in August 2008. Besides the suspect, three Americans, two Ukrainians, two Chinese, one Estonian, a Belarussian and an unidentified suspect are on the wanted list, the Justice Department said. The group is accused of obtaining credit and debit card numbers by hacking into the computer networks of major U.S. retailers — including Barnes & Noble, OfficeMax, shoe retailer DSW, and Sports Authority. Once inside the network, “sniffer programs” captured credit card numbers, passwords, and account information, police said. The data was stored in encrypted servers controlled from Eastern Europe and the United States. Source:

18. May 13, St. Paul Pioneer Press – (National) Banks may be tapped for Ponzi victims. With $3.5 billion in losses, Petters Co. Inc., a Minnetonka-based Ponzi scheme, was one of the largest the U.S. has seen. But it was not unique. Dozens of other smaller schemes have deflated in recent years, and some attorneys are looking at new ways to get money for victims. Their target: the banks that handled the big inflows and outflows of cash. A former federal prosecutor and attorney with the U.S. Securities and Exchange Commission has four civil cases pending against banks where Ponzi schemers had their accounts. He argues the banks aided the scams that bilked people out of millions of dollars. They knew — or should have known — what was really going on. The former federal prosecutor is seeking judgments against Bank of America in three of the cases and JP Morgan Chase in the fourth. Those cases are still moving through the courts and have not been resolved. Source:

Information Technology

48. May 14, – (International) Twitter phishing scam uses iPhone 4G bait. Security experts are warning of a Twitter phishing scam designed to harvest personal data with the offer of a new iPhone 4G as a lure. A Sophos senior technology consultant wrote in a blog post that the scam employs a “gaggle of profiles, using avatars of sexy young women, pumping out messages to users” saying they could win the device. “A quick look at one of the Twitter accounts spamming out the messages underlines that she is by no means a regular user, but set up specifically to advertise a data-collecting form on behalf of the shady guys behind this scheme, “ he said. “Clicking on any of these links takes you to a Web page (currently offering an iPod Shuffle as a prize, rather than an iPhone 4G - that’s a letdown, isn’t it?) that asks you to fill in a form with your personal data.” The form asks users to fill in information such as date of birth, marital status, telephone number and address. Source:

49. May 13, The Register – (International) Twitter-controlled botnets come to the unwashed masses. A security researcher has unearthed a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts. TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a Twitter account under the control of attackers. Bot herders can then force the zombies to carry out denial-of-service attacks or silently download and install software with the ease of their Twitter-connected smartphones. “All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones,” a researcher with anti-virus provider Sunbelt Software wrote. TwitterNet Builder requires accounts to be public, so spotting people who use the software is fairly straightforward. A quick search revealed accounts that appeared to be using the DIY kit, although it appeared these might be harmless demonstrations rather than brazen attacks. Regardless, it would be fairly straightforward to modify the tool so it uses private accounts, or even stealthier still, uses base64 encoding so commands appear indecipherable to the naked eye, as a previous Twitter-based bot herders did. Source:

50. May 13, IDG News Service – (International) Facebook IDs hacker who tried to sell 1.5M accounts. Facebook has identified the hacker named Kirllos who tried to sell 1.5 million Facebook accounts recently in underground hacking forums. According to investigators at the social networking site, the hacker is guilty of both hacking and hyperbole. Kirllos was first spotted by researchers at VeriSign’s iDefense group a few weeks after he claimed to have an unusually large number of Facebook accounts for sale at rock-bottom prices. According to VeriSign, Kirllos wanted between $25 and $45 per 1,000 accounts, depending on the quality of the Facebook user’s connections. Kirllos appeared to have sold close to 700,000 accounts, although nobody knew for sure if his claims were legitimate, according to VeriSign’s Director of Cyber Intelligence. Now Facebook said its forensics team, working with other industry contacts, has figured out who Kirllos is. A Facebook spokesman would not name Kirllos, but he said that the hacker is based out of Russia. And while Kirllos does appear to have hacked accounts — probably through a phishing attack or by placing malicious code on victims’ computers — he probably obtained only a few thousand credentials, the spokesman said. Source:

51. May 13, eWeek – (International) Facebook makes security changes as privacy controversy swirls. Amid a controversy about privacy, Facebook unveiled new security features designed to protect user accounts. “Over the last few weeks, we’ve been testing a new feature that allows you to approve the devices you commonly use to log in and then to be notified whenever your account is accessed from a device you haven’t approved,” a software engineer on Facebook’s site integrity team, wrote in Facebook’s blog. To try out the feature, users can go to the Account Settings page and select the option to receive notifications for log-ins from new devices. “When you log in, you’ll be asked to name and save the various devices you use to access Facebook. For example, you can save your home computer, your school or work computer, and your mobile phone. Once you’ve done this, whenever someone logs in to your account from a device not on this list, we’ll ask the person to name the device,” he wrote. Facebook is still dealing with controversy over its privacy policies. A European group of data-protection authorities sent a letter to Facebook May 13, about changes the site made late in 2009 that “fundamentally changed the default settings on its social networking platform to the detriment of a user,” the group charged. Earlier May 13, Facebook had a meeting where employees asked executives questions about privacy. Facebook officials would not comment on exactly what was said in the meeting. Source:

52. May 13, DarkReading – (International) E-mail attack targets HR departments. A targeted attack aimed at human resources departments and hiring managers in the U.S. and Europe that was spotted this week sent 250,000 e-mails during a four-hour period May 12. Researchers at Websense Security Labs discovered the attack, which included the subject line “New resume” and came with a ZIP file attachment and what appeared to be a picture file. When opened, the files spreads bot malware and, ultimately, fake antivirus software. “From what the Websense Security Labs has ascertained, the e-mail campaign would be most relevant to HR departments and managers considering hiring. Employees in these types of roles would most likely be encouraged to view the attachments,” said a senior manager of security research for Websense Security Labs. An executable inside the ZIP file contains the Oficla bot, according to the researchers; the bot connects to a command and control server in the domain, and also communicates with,,, and The malware issues a warning message that the victim’s PC is “infected,” and then it downloads the Security Essentials 2010 fake AV program. The researcher said the attackers appear to be trying to make money both by selling fake AV, and by building out a botnet. “This attack installed a downloader onto the infected user’s computer. This means that any payload could be delivered with different directives,” he said. Source:

53. May 13, Data Center Knowledge – (Virginia; National) Car crash triggers Amazon power outage. Amazon’s EC2 cloud computing service suffered its fourth power outage in a week May 11, with some customers in its U.S. East Region losing service for about an hour. The incident was triggered when a vehicle crashed into a utility pole near one of the company’s data centers, and a transfer switch failed to properly manage the shift from utility power to the facility’s generators. Amazon Web Services said a “small number of instances” on EC2 lost service at 12:05 p.m. Pacific time May 11, with most of the interrupted apps recovering by 1:08 p.m. The incident affected a different Availability Zone than the ones that experienced three power outages the week of May 3. Amazon Web Services said May 9 that it is making changes in its data centers to address the series of power outages. Amazon EC2 experienced two power outages May 4 and an extended power loss May 8. In each case, a group of users in a single availability zone lost service, while the majority of EC2 users remained unaffected. Source:

54. May 12, TechWorld – (International) Botnet hijacks web servers for DDoS campaign. Researchers at Imperva have discovered an “experimental” botnet that uses around 300 hijacked Web servers to launch high-bandwidth DDoS attacks. The servers are all believed to be open to an unspecified security vulnerability that allows the attacker, who goes by the name “Exeman”, to infect them with a tiny, 40-line PHP script. This includes a simple GUI from which the attacker can return at a later date to enter in the IP, port and duration numbers for the attack that is to be launched. But why servers in the first place? Botnets are built from PCs and rarely involve servers. According to Imperva’s CTO, they have no antivirus software and offer high upload bandwidth, typically 10 to 50 times that of a consumer PC. Are there disadvantages to this? There are simply fewer of them, the attacker needs to find vulnerable machines using PHP, and they appear to need manual control, although he did say that attacks could probably be automated using a separate script. Source:

Communications Sector

55. May 13, IDG News Service – (National) Lawmaker challenges broadband providers on net neutrality. If broadband providers do not want the U.S. Federal Communications Commission (FCC) to reclassify broadband as a regulated service, Congress is willing to pass a network neutrality law and address a major reason for reclassification, a senior lawmaker said May 13. Broadband providers have a second option to the FCC Chairman’s proposal to reclassify broadband transmission as a common-carrier service, said a democratic U.S. representative from Virginia, who is also chairman of the communications and Internet subcommittee of the House Energy and Commerce Committee. With enforcement of net neutrality rules a major driver for the chairman’s reclassification plan, broadband providers instead could work with the subcommittee to craft a net neutrality law, the representative said. Source:

56. May 13, The New New Internet – (International) Das internet ist kaputt: German internet disrupted. Significant portions of the German Internet were unavailable May 12 for over an hour, following a mistake by the DENIC, which administers the .de domain. According to some reports, all 13.6 million .de domains were impacted by the interruption, though other reports said the number of affected domains was smaller. E-mail and Web sites were disrupted from 1:30 p.m. to 2:50 p.m., German time. The problem likely occurred when DENIC uploaded zone files that were empty. “There is no definitive answer,” said the CTO of domain registrar “Best theory right now is an incomplete zone was pushed out.” The TLD Source blog said that the problem was a result of the empty zone file uploads. “It looks like they started loading in new zonefiles automatically, having to notice too late that the new zonefile actually didn’t contain any information and that they had therefore technically deleted all .de domain names,” the blog said. Source:

57. May 13, San Bernardino Press-Enterprise – (California) Pinched cable causes widespread phone, Internet outages from Temecula to Hemet. A 2.5-hour outage of phone and Internet service across portions of southwest Riverside County May 13 may have started when a fiber-optic cable got pinched in a cabinet door at a substation near Redlands, California according to a Verizon spokesman. The outage affected landlines, cell phone, and Internet service to an unknown number of residents and businesses from Temecula to Hemet. Verizon was still trying to determine the total area affected. The cable got pinched about 2 p.m., and was unable to transmit light through the phone lines. When the door was opened about 4:30 p.m. and the cable became dislodged, service returned to normal to all customers. Phone service was disrupted to police and sheriff’s stations in Hemet and Temecula, but the outage did not affect 911 lines. All emergency calls passed through, a sheriff’s spokesman said. At the Cal Fire Command Center in Perris, telephone dispatchers were unaffected but Internet service was down. Phones were down at city halls in Temecula, Hemet and San Jacinto, creating busy or disconnected signals for callers. Although the pinched cable was at a facility between San Bernardino and Redlands, police in those two cities reported no outages. Source:

58. May 12, Television Broadcast – (New York) WXXI-TV knocked off the air. WXXI-TV, the PBS member station serving metro Rochester, New York, was knocked off the air by severe weather. “Due to a transmitter outage caused by recent storm conditions, WXXI DTV 21.1, 21.2 and 21.3 are off the air,” WXXI’s Web site stated. “Channels are estimated to be back up within the next couple of days. This outage is not affecting cable subscribers.” The station’s transmitter facility is located in Rochester. The city suffered winds of more than 50 miles per hour over the weekend that took out trees and power lines. Roughly 14,000 of the local utility’s customers lost power. Source: