Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, June 1, 2010

Complete DHS Daily Report for June 1, 2010

Daily Report

Top Stories

• According to The Associated Press, Indian officials said that suspected Maoist rebels derailed an overnight passenger train Friday in eastern India, triggering a crash with an oncoming cargo train that killed at least 71 people and injured about 200 more. Survivors described a night of screaming and chaos after the derailment, and said it took rescuers more than three hours to reach the scene. (See item 23)

23. May 28, Associated Press – (International) Suspected sabotage derails train in India; 71 dead. Suspected Maoist rebels derailed an overnight passenger train Friday in eastern India, triggering a crash with an oncoming cargo train that killed at least 71 people and injured about 200 more, officials said. Survivors described a night of screaming and chaos after the derailment, and said it took rescuers more than three hours to reach the scene. The blue passenger train and the red cargo train were knotted together in mangled metal along a rural stretch of track near the small town of Sardiha, about 90 miles west of Calcutta in West Bengal state. Officials disagreed on the cause of the derailment, with some saying it was caused by an explosion but others blaming sabotaged rail lines. The Indian Home Minister said in a statement that a section of the railway tracks had been cut, but “whether explosives were used is not yet clear.” The top police official in West Bengal said posters from the People’s Committee Against Police Atrocities, a group local officials believe is closely tied to the Maoists, had been found at the scene taking responsibility for the attack. However, a spokesman for the group denied any role, the Press Trust of India news agency reported. “We were in no way involved. This is not our act,” PTI quoted him as saying by phone. Source:

• The Associated Press reports that a top Pentagon official said May 26 that a U.S. government computer security system that can detect and prevent cyber attacks should be extended to private businesses that operate critical utilities and financial services. The Deputy Defense Secretary said discussions are in the very early stages and participation in the program would be voluntary. (See item 50 below in the Information Technology Sector)


Banking and Finance Sector

13. May 28, eSecurity Planet – (International) Phishing scam targets military credit unions. U.S. Strategic Command officials are joining leading security software vendors in warning soldiers serving in the U.S. Armed Forces to be on high alert for a new phishing scam that targets customers at a pair of credit unions catering to servicemen and their families. The STRATCOM commander is warning soldiers and their families that bogus Web sites imitating both USAA, a popular insurance and financial services firm catering to military families, and the Navy Federal Credit Union have successfully stolen the personal and banking data of an unknown number of customers. In a blog posting this week, Symantec officials said the phishing sites ask customers to fill in a form with their sensitive data to unlock what the corrupt Web page claims is a login error created by too many failed login attempts. This information includes social security numbers, credit card information, birth dates and mothers’ maiden names. “The page also includes a fake CAPTCHA that accepts data irrespective of the number entered,” Symantec’s security team wrote. “When the sensitive information is entered, the phishing site states that the customer’s password is unlocked for logging in. The page is then redirected to the legitimate site.” Source:

14. May 28, SC Magazine – (International) Importance of e-mail retention clear after U.S. bank is fined $700,000. A fine issued to a company for failing to retain emails demonstrates the importance of e-mail retention as a compliance issue. Earlier this week, the U.S. Financial Industry Regulatory Authority (FINRA) issued a fine of $700,000 to Piper Jaffray & Co. for failing to retain approximately 4.3 million e-mails from November 2002 through December 2008. The company, a middle-market investment bank and institutional-securities firm, also failed to inform FINRA of its e-mail retention and retrieval issues, which impacted the firm’s ability to comply completely with e-mail extraction requests from FINRA. Piper Jaffray had previously been sanctioned for e-mail retention failures in November 2002, in a joint action by the Securities and Exchange Commission, New York Stock Exchange Regulation and NASD, arising from investigations of the firm’s conflicts of interest between its investment banking and research departments. As part of that settlement, Piper Jaffray was required to review its systems and certify that it had established systems and procedures designed to preserve electronic mail communications. The firm made that certification to regulators in March 2003. At no time did the firm alert regulators that its system was experiencing problems. Commenting, the CEO of Mimecast said that the severity of the fine demonstrated the importance of e-mail retention as a compliance issue in today’s knowledge-based industries, where in the event of a litigation or other inquiry, a secure and audited copy of every internal and external e-mail will need to be delivered within 24 hours of a request. Source:

15. May 28, Monsters and Critics – (International) Gang of suspected debit card fraudsters seized in Spain. Nine members of a Romanian gang thought to be exploiting fake debit cards were seized in Spain after a joint Spanish and German raid, investigators in Germany announced May 28. The gang had allegedly caused 4.4 million euros ($5.4 million) of losses in Germany alone, by copying the debit card details of unwitting customers using their cards to pay in shops. The gang members had tampered with the shops’ card payment terminals to access the data, which they transcribed onto blank debit cards, officials said. The head of the group and his eight accomplices were arrested May 26 after a raid in the Valencia region on Spain’s eastern coast. German criminal police officers assisted in the Spanish-led police investigation. Source:

16. May 27, – (Arizona) Credit union text phishing scam strikes again in Arizona, AG says. Arizona Credit Union West customers be warned: Ignore bizarre text messages saying an individual’s account has unusual activity or has been suspended — it is a phishing scam by text. The attorney general alerted consumers May 25 not to fall for a scam that targets Verizon, Sprint and T-Mobile customers. Similar spam texts also have targeted Cox Communication customers. Cox provides cable and Internet services in the U.S., including Phoenix and Tucson. Credit Union West said it does not request confidential information such as Social Security, bank account or credit card numbers through text messages or e-mail. Source:

17. May 27, Krebs on Security – (National) Cyber thieves rob Treasury Credit Union. Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned. In most of the e-banking robberies written about to date, the victims have been small to mid-sized businesses that had their online bank accounts cleaned out after cyber thieves compromised the organization’s computers. This incident is notable because the entity that was both compromised and robbed was a bank. The attack began May 20 when the unidentified perpetrators started transferring funds out of an internal account at Treasury Credit Union, a financial institution that primarily serves employees of the U.S. Treasury Department and their families in the state of Utah. The Treasury Credit Union president said the thieves made at least 70 transfers before the fraud was stopped. Many of the transfers were in the sub-$5,000 range and went to so-called “money mules,” willing or unwitting individuals recruited over the Internet through work-at-home job schemes. The credit union president said other, larger, transfers appear to have been sent to commercial bank accounts tied to various small businesses. According to the credit union president, the perpetrators who set up the bogus transactions had previously stolen a bank employee’s online log-in credentials after infecting the employee’s Microsoft Windows computer with a Trojan horse program. He said investigators have not yet determined which particular strain of malware had infected the PC, adding that the bank’s installation of Symantec’s Norton Antivirus failed to detect the infection prior to the unauthorized transfers. Source:

18. May 27, Computing – (International) Salvation Army IT boss warns of new ways scammers abuse charities. Cyber criminals are targeting charities in their efforts to con people out of cash. The Salvation Army’s CIO told Computing that not only do fraudsters create false charity Web sites, they use charity sites to test stolen credit card numbers. CIO explained that it is particularly important for charities to treat people’s personal details with the utmost care because their business is based on trust and their reputations are their most valuable asset. “We take credit card details from you and give you a warm, fuzzy feeling in return. You don’t get a parcel coming to your door, you just give your credit card number and, naturally, you put your trust in the brand that people are going to do good with it,” he explained. Scammers have begun to adopt a different approach to induce their target market into a false sense of security, he said. They are opting to set up compromised fake charitable Web sites and asking for donations to help during times of disaster. This is a move away from the trend of sending fake warnings from banks or building societies to consumers to gather personal details. Source:

19. May 27, Muncie Star Press – (Indiana) Tillotson reopened to traffic; suspicious ‘package’ was mug wrapped in paper. Traffic was closed on South Tillotson Avenue north of White River Boulevard in Muncie, Indiana May 27 while authorities investigated the discovery of what was described as a suspicious package in a nearby bank. However, the “package” apparently ended up being a drinking mug wrapped in paper. The First Merchants Bank branch was evacuated during the investigation, and members of the Delaware County sheriff’s bomb squad, city police and firefighters, and the county’s emergency management agency were on hand. Source:

Information Technology

47. May 28, SC Magazine – (International) The gaming details of 44 million users found on a server. The stolen gaming credentials of 44 million people have been found on a server. A researcher for Symantec security response claimed that recent analysis of a sample of a data-harvesting threat revealed the stolen credentials. What was interesting was not just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. The company detected this threat as Trojan.Loginck, and said that the database server is part of a distributed password checker aimed at Chinese gaming Web sites. the researcher said: “The stolen log-in credentials are not just from particular online games, but also include user log-in accounts associated with sites that host a variety of online games. In both cases the accounts contained in the database have been obtained from other sources, most likely using malware with information-stealing capabilities, such as Infostealer.Gampass.” He claimed that with 44 million sets of gaming credentials at a user’s disposal, three options were present - log on to gaming Web sites 44 million times, write a program to log in to the Web sites or write a program that checks the log-in details and then distribute the program to multiple computers. The researcher said that the first two were either impossible or not feasible, but by taking advantage of the distributed processing that the third option offers, a user can complete the task more quickly and help mitigate the multiple-log-in failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck’s creators have done. Source:

48. May 28, The New New Internet – (International) UA student pleads guilty to launching botnet attacks. A former undergraduate at the University of Akron (UA) in Ohio pleaded guilty Thursday to charges he hacked into the school’s computer system to launch botnet attacks. The defendant, of Ohio, was charged with one count of causing damage to a protected computer system and one count of possessing 15 or more unauthorized access devices. He could be sentenced to 15 years in prison and fined up to $250,000. According to court documents, between August 2006 and March 2007 while enrolled at UA, the defendant used school computers to access IRC channels to control other computers and computer networks via botnet zombies, which were located throughout the United States and in other countries. He then used the compromised computers to spread malicious code, commands and information to more computers, so he could get information and data from the compromised computer networks, and for the purpose of launching DDoS attacks on computer systems and Web sites. Source:

49. May 28, The Register – (International) 3 men charged in $100m scareware scam. Federal prosecutors have accused three men of running an operation that used fraudulent ads to dupe Internet users around the world into buying more than $100 million worth of bogus anti-virus software. The defendants operated companies including Innovative Marketing and Byte Hosting Internet Services, which perpetuated an elaborate scheme that tricked Internet publishers into posting malware-laced ads on their Web sites, according to an indictment filed May 26. The banners allegedly presented messages falsely claiming visitors’ computers contained dangerous malware and other defects that could be fixed by purchasing software that cost from $30 to $70. The scheme often tricked users into purchasing multiple sham products, which were sold under names including Malware Alarm, Antivirus 2008 and VirusRemover 2008. The charges, filed in U.S. District Court in Chicago, largely echo allegations the Federal Trade Commission made in December 2008 against operators of the same companies. The federal judge hearing that case has held Innovative Marketing in contempt of court and fined it $8,000 per day for failing to comply with a temporary restraining order to shut down the scareware operation. The three defendants stand accused of setting up at least seven fictitious advertising agencies that placed ads on unnamed Web sites. The ads redirected viewers to Web sites that presented graphics that mimicked virus scans falsely claiming machines were riddled with a variety of dangerous infections. Source:

50. May 27, Associated Press – (National) Businesses could use U.S. cyber monitoring system. A U.S. government computer security system that can detect and prevent cyber attacks should be extended to private businesses that operate critical utilities and financial services, a top Pentagon official said May 26. The Deputy Defense Secretary said discussions are in the very early stages and participation in the program would be voluntary. The idea, he said, would allow businesses to take advantage of the Einstein 2 and Einstein 3 defensive technologies that are being developed to put in place on government computer networks. Extending the program to the private sector raises a myriad of legal, policy and privacy questions, including how it would work and what information, if any, companies would share with the government about any attacks or intrusions they detect. Businesses that opt not the participate could “stay in the wild, wild west of the unprotected Internet,” the secretary told a small group of reporters during a cybersecurity conference. And in the case of Einstein 2 — an automated system that monitors federal Internet and e-mail traffic for malicious activity — companies already may have equal or superior protections on their networks. Source:

51. May 27, Computerworld – (International) Hackers will keep hammering Facebook, say researchers. Attacks targeting Facebook users will continue, and they could easily become even more dangerous, a security researcher said today. Over the last two weekends, cybercriminals have launched large-scale attacks using rogue Facebook applications that infect users of the popular social networking site with adware that putspop-ups on their screens. “There are limitations to what Facebook can do to stop this,” said a U.K.-based researcher for Websense Security Labs. “I wouldn’t be surprised to see another attack this weekend. Clearly, they work.” According to the chief technology officer at antivirus vendor AVG Technologies, last weekend’s attack was about half the size of the one the weekend before. Both featured messages that used sex-oriented videos as bait to convince users to install a Facebook application and then download a purported update to a free video player program. The download was actually adware. Both researchers agree that the attacks would keep coming. The hackers are “trying to make money and looking for ways to ‘work’ Facebook,” said one of the researchers in an instant message. Source:

52. May 26, Hurriyet Daily News – (International) Cyber criminal activity on the rise in Turkey, data show. According to the latest data by Trend Micro, a leading Internet security company, more than 2 million computers were hacked and 476 million spam e-mails were sent in Turkey between June 2009 and May 2010. With Internet an increasingly integral part of daily life, criminals are finding new playgrounds in cyberspace. In 2004, there were 680 million Internet users and 3 million malwares globally. Six years later, the number of Internet users increased to around 1.7 billion, but malwares jumped 10-fold to 30 million. Malware, short for malicious software, is designed to infiltrate a computer system without the owner’s informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive or annoying software or program code. The term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, including true viruses. The senior security adviser from Trend Micro said there is a booming underground economy where “everything is for sale” in cyberspace. Criminals can trade 1 million e-mail addresses for $8. A full identity, including name, birthday, Social Security number, ATM pin and credit card information can be bought for $15. Source:

For more stories, see items 17 and 18 above in the Banking and Finance Sector

Communications Sector

53. May 28, The Wall Sreet Journal – (National) Telecom Firms Gird for Lobbying War. The Federal Communications Commission’s (FCC) recent effort to ensure it can police Internet providers has prompted new interest in Congress toward rewriting the nation’s aging telecommunications laws for the Internet era. The rewrite won’t happen right away — and could stretch on for more than a year — but phone and cable companies are already gearing up for a lobbying battle that is likely to be expensive. Earlier this week, key Democratic lawmakers announced plans to take up a telecommunications revamp, a move applauded by phone and cable companies that hope it could stall the FCC’s efforts to regulate their Internet lines. AT&T Inc. said it welcomed any effort “to clarify what authority Congress wishes the FCC to have in the Internet space.” Rumbling from Capitol Hill hasn’t slowed the FCC, which said Thursday that it will open deliberations next month on its proposal to change how the agency regulates Internet lines. The proposal would reverse a previous decision to deregulate Internet lines and begin to apply rules that were written for traditional phone networks. Source: