Monday, December 6, 2010

Complete DHS Daily Report for December 6, 2010

Daily Report

Top Stories

• A 44 year-old former FBI Special Agent faces up to 315 years in prison and $6.5 million in fines for wire fraud and bankruptcy fraud, according to the Chattanooga Chattanoogan. See item 16 below in the Banking and Finance Sector.

• Agence France-Presse reports U.S. officials said a U.S.-style airport security program will soon be set up in Yemen, where an Al-Qaeda affiliate has engineered a string of failed international airline attacks. (See item 20)

20. December 2, Agence France-Presse – (International) US airport security program to launch in Yemen. A U.S.-style airport security program will soon be set up in Yemen, where an Al-Qaeda affiliate has engineered a string of failed international airline attacks, U.S. officials said. “We have a program that will be starting up in the very near future, an 18-month program with Yemen,” an official with the U.S. Transportation Security Administration told a Senate hearing on international airline safety. Yemen-based Al-Qaeda in the Arabian Peninsula has claimed it was behind a foiled air cargo bomb plot in October, in which printer toner cartridges that had been rigged as bombs were shipped out of Sanaa. Source:


Banking and Finance Sector

13. December 3, Credit Union Times – (Arizona) Defaulted business loans surpass $25 million for AEA FCU. More than $25 million in alleged fraudulent loans authorized by the former vice president of business services at AEA Federal Credit Union are now in default, according to the Arizona Office of the U.S. Attorney. The former vice president, along with his wife and an Arizona businessman were arrested December 2 for their roles in approving questionable AEA business loans in exchange for nearly $1 million, the attorney’s office said. The businessman accomplice used the loans to fund his businesses, many of which are now bankrupt. An 11-month investigation revealed several inconsistencies with business loans authorized by the former vice president including actions to thwart internal and external audits. Source:

14. December 3, Montgomery Media – (Pennsylvania) FBI suspect Cheltenham bank robber of three Philly holdups. The man believed responsible for the November 12 robbery of the Sovereign Bank branch at 500 Central Avenue in Cheltenham, Pennsyvlania is believed responsible for at least three other bank holdups in the Philadelphia area, according to the FBI. The FBI issued a press release December 2 asking for the public to help the bureau, along with Cheltenham Township and Philadelphia police, to identify and locate the suspected bank robber. During the Cheltenham holdup, the robber presented a demand note and got away with about $6,000, according to a police report. In addition to the Cheltenham robbery, the suspect is believed responsible for the November 30 robbery of the Bank of America branch at 1000 Cottman Avenue, Philadelphia; the December 1 holdup of the Bank of America branch at 6425 Rising Sun Avenue, Philadelphia; and the December 2 robbery of the VIST Financial branch at 8004 Verree Road in Philadelphia. Source:

15. December 3, New New Internet – (National) ‘Relentless’ crooks pull a fast one with payday loan scam. Criminals posing as FBI representatives and lawyers are scamming consumers in a payday loan phone collection scam, according to IC3, the FBI’s cyber crime center. In this scam, a caller claims the victim is delinquent in a payday loan and has to immediately pay up to avoid legal consequences. The callers, who say they represent the FBI, various law firms, or other legitimate-sounding agencies, claim to be collecting debts for companies such as United Cash Advance, U.S. Cash Advance, U.S. Cash Net, and other Internet check-cashing services. The fraudsters often have accurate information about the victims, including Social Security numbers, dates of birth, addresses, employer information, bank account numbers, names, and telephone numbers of relatives and friends. IC3 said it is unclear how this information is obtained, but suspects it comes from victims’ previous online applications for other loans or credit cards. Source:

16. December 2, Chattanooga Chattanoogan – (Tennessee) FBI Agent found guilty of federal wire and bankruptcy fraud. A 44 year-old former FBI Special Agent was found guilty of 15 counts of wire fraud and 3 counts of bankruptcy fraud December 2 by a federal jury in Nashville, Tennessee. Sentencing was set for March 4 at 10 a.m. The former Agent faces a total of 315 years in prison and $6.5 million in fines. The maximum penalty for each violation of the wire fraud statute is 20 years in prison and a $250,000 fine. The maximum penalty for each count of bankruptcy fraud is 5 years in prison and a $250,000 fine. Each count also carries a mandatory $100 special assessment. The court may also order restitution to any victims of the fraud. The former Agent was indicted in May by a federal grand jury for wire fraud, bank fraud and swearing a false oath in bankruptcy. The jury failed to reach a verdict on the bank fraud charge. Authorities said he devised a wire fraud scheme to defraud SunTrust Mortgage Company, Inc., in connection with the purchase of rental properties totaling $1.25 million in May and July 2006. In addition, he devised a scheme to defraud the SunTrust Bank in connection with a $100,000 line of credit and making three false statements in connection with his subsequent bankruptcy petition in July 2009. Source:

17. December 2, – (New Jersey) Serial bank robber caught after crashing into Old Bridge police car. Police arrested a man who officials said robbed a bank, struck a marked Old Bridge, New Jersey police car, and led police on a foot chase December 1. The 43-year-old suspect was charged with that robbery, along with three other bank robberies in Monmouth County over the last 2 years. Further investigation revealed the suspect had robbed the same Capital One Bank twice, April 6, 2009 and December 21, 2009, according to an assistant county prosecutor. He is also accused of robbing a TD Bank in Howell on Route 9 South August 6. Source:

18. December 1, Associated Press – (California) Warrant: Calif bomb suspect says he robbed 3 banks. A man suspected of operating a virtual “bomb factory” at his San Diego County, California house has told authorities he robbed three banks and tried to rob a fourth. The information is contained in a search warrant released December 1. The warrant said the suspect told an FBI agent and sheriff’s detective in a November 22 interview that he robbed three Bank of America branches in San Diego, in November 2009 and in June and July of this year. It said he also admitted trying to rob a fourth Bank of America branch last year. The 54-year-old suspect has pleaded not guilty to 26 counts of manufacturing or possessing explosives, and two bank robbery counts. He is being held on $5 million bail. Authorities said explosives were discovered in the suspect’s rented home after a gardener was injured this month in a blast in the backyard. Source:

Information Technology

44. December 3, – (Unknown Geographic Scope) AVG update crashes 64-bit Windows 7 systems. The latest software update from security supplier AVG Technologies has caused problems with many users running Microsoft’s 64 bit Windows 7 operating system. The conflict between update 3292 for both free and paid-for versions of the software causes systems to go into an infinite crash loop, the company said. AVG has withdrawn the update and published an advisory on how to get affected systems running again and links to FAQs. AVG also said it will release a program to ensure the fix is completed automatically as soon as possible. Users who are running Windows 7 and have not downloaded and installed update 3292 will be unaffected, the company said.


45. December 3, ComputerWorld – (International) Google quashes 13 Chrome bugs, adds PDF viewer. Google December 2 patched 13 vulnerabilities in Chrome as it shifted the most stable edition of the browser to version 8. Chrome 8 also debuted Google’s built-in PDF viewer, an alternative to the bug-plagued Adobe Reader plug-in, and included support for the still-not-launched Chrome Web Store. The 13 flaws fixed in Chrome 8.0.552.215 are in a variety of components, including the browser’s history, its video indexing, and the display of SVG (scalable vector graphics) animations. Four of the baker’s dozen are tagged as “high” level bugs, Google’s second-most-serious rating, while five are pegged “medium” and four are labeled as “low.” Source:

46. December 2, TrendLabs Malware Blog – (International) Updated ZeuS-LICAT variant spotted. There is a new LICAT sample that communicates with its command-and-control (C&C) server using a pseudo-random domain that was not among those generated by the original algorithm. Not only does this new variant use different XOR keys, it also uses more keys as well. The original LICAT variant’s domain generation algorithm (DGA) used the same XOR key twice: once for where its configuration file was located, and another were new/updated variants could be downloaded automatically. In this new variant, however, different keys are used; neither do they share the same value from the original variant. This doubles the number of domains that have to be monitored and blocked by researchers. Source:

47. December 2, Softpedia – (International) Twitter trends poisoned with malicious links. Security researchers warn that malware distributors are aggressively pushing malicious links via Twitter Trends in a black hat search engine optimization-like (BHSEO) campaign meant to infect users. Just like Google Trends, which lists the hottest Google search topics and keywords, Twitter Trends provides a list of most discussed subjects on the microblogging platform at any given time. In fact, Twitter trending topics are more visible than the Google’s trends, because they are listed by default in the sidebar of every users’ timeline. Clicking on any of them generates a real-time feed of tweets that contain the specific term, making it easier for people to follow public discussions on particular topics. Cyber criminals commonly poison the results for the latest Google hot searches with malicious links, in what is known as BHSEO. Some of them are now applying the same concept on Twitter. A security expert with antivirus vendor Kaspersky Lab, warned that there is currently an ongoing campaign using this technique.The expert said this Twitter Trends poisoning effort is quite aggressive, with almost 3,000 malicious links posted for every popular topic within a 40-minute window. Source:

48. December 2, Softpedia – (International) Malicious links spammed from fake Amazon profiles. Security researchers from cloud security provider Zscaler have identified many fake Amazon profiles that are being used to spam links to rogue online pharmacies and malware distribution sites. Fake profiles have long been used for spam on all Web sites that allow inter-user communication, starting years ago with forums and continuing today with social networks. The latest spam campaigns are using fake profiles to abuse these community features in order to advertise malicious links. One attack promotes adult content of an illegal nature and it directs users to two We bsites hosted on a server previously involved in trojan and scareware distribution. The same domains are also advertised on Google Groups using the same fake profile-based spamming method. In another scheme, thousands of fake Amazon accounts are used to promote counterfeit prescription drugs that link back to rogue online pharmacies. Source:

49. December 2, Softpedia – (International) McAfee investigates DLL preloading flaw in Enterprise product. McAfee is investigating a publicly disclosed DLL preloading vulnerability in version 8.5i of its VirusScan Enterprise (VSE) product, which can lead to remote code execution. McAfee VirusScan Enterprise is the company’s endpoint antivirus product for corporate environments and is currently at version 8.7i Patch 4. In an article published December 1, McAfee revealed it is investigating reports of a vulnerability in VSE 8.5i and earlier, which could allow remote attackers to execute arbitrary code in the context of the antivirus. The company described the flaw as a “DLL Side Load issue” and rated its impact as medium. The calculated CVSS base score is 5.7 out of 10. In contrast, vulnerability research company Secunia rates the issue as “highly critical” and calls it an “insecure library loading” flaw. This discrepancy in severity rating is caused by the fact McAfee treats this as an unconfirmed report, which keeps the CVSS score down. When the antivirus product tries to scan ActiveX content embedded inside the file, it attempts to load traceapp.dll from the current working directory. This presents an opportunity for attackers to place a rogue library with that name in the same folder as the Word document and have it loaded. The only mitigation available at the moment is to upgrade to VSE 8.7i, which is not vulnerable. Source:

50. December 1, Softpedia – (International) Murder video scam circulating on Facebook. Facebook scammers are luring users into signing up for premium rate services with promises of a video showing a guy killing his roommate after playing Black Ops. The new spam messages, which, according to security researchers from GFI Software are rapidly spreading on the social networking site, read: “TODAY ONE GUY KILLED HER ROOM MATE WHILE PLAYING A BLACK OPS GAME IN NETWORK. LIVE DEATH VIDEO CAUGHT ON CAMERA” Black Ops refers to “Call of Duty: Black Ops,” the seventh installment in the Call of Duty game series, which was just released. This, of course, is just a lure and there is no video of any killing. Clicking on the picture as instructed prompts a permissions request dialog from a rogue Facebook app called “Shock news.” The application wants access to post on people’s walls. Allowing it to do this will cause users to unknowingly send spam from their accounts. The app prompt is followed by a so called “human authentication” test, which requires people to take an IQ quiz that tries to sign them up for a $9.99 per month SMS service. Source:

51. December 1, Softpedia – (International) New scareware poses as HDD defragmentation tools. Scareware creators have temporarily steered away from the fake antivirus theme they commonly use to put out a new line of rogue programs that pose as defragmentation utilities. According to security researchers from antivirus giant Symantec, hese applications started to appear in the later half of October, but have since increased their prevalence and new variants are now detected on a daily basis. Some of the fake defrag tools observed so far had names like “Ultra Defragger”, “Smart Defragmenter”, “HDD Defragmenter”, “System Defragmenter”, “Disk Defragmenter”, “Quick Defragmenter”, “Check Disk”, or “Scan Disk.” However, despite being named differently, all of them have the same interface. After installation these clones proceed to perform a system scan and, like any scareware applications whose purpose is to scare users into buying a license, claim to identify multiple problems. Source:

Communications Sector

52. December 3, – (Florida) 3rd copper theft reported from a Molino tower. For the second time in just over 2 months, copper wiring was stripped from a county-owned radio tower in Molino, Florida. The theft was discovered December 2 at the communications tower, which is located behind the Escambia County Health Department on Highway 29. Each time, the thief removed copper wiring that is part of the tower’s grounding equipment. Radio communications using the tower were not interrupted. In October, a technician for CES Team One Communications, the company that maintains the radio tower for Escambia County, discovered items worth about $3,450 missing from the tower. That theft occurred sometime between September 1 and October 11. On November 22, technicians discovered hundreds of dollars in copper grounding wire missing from the privately owned communications tower adjacent to the Molino Ballpark on Crabtree Church Road. The wiring was part of that tower’s electrical grounding system. There were no reports that any of the services on the tower were disrupted. At least one cellular telephone company serves the Molino area from the tower. Source:

53. December 3, IDG News Services – (International) downed by domain hosting service. WikiLeaks’ main Web site could not be accessed December 3 through its domain name after a subsidiary of Dynamic Network Services terminated its domain name service. Dynamic Network Services’ subsidiary, EveryDNSdotnet, terminated the WikiLeaksdotorg domain name because repeated DDoS (Distributed Denial of Service) attacks against WikiLeaks “have, and future attacks would, threaten the stability of the EveryDNSdotnet infrastructure, which enables access to almost 500,000 other websites,” it said on its Web site. The domain name service termination comes just days after Amazon Web Services stopped hosting WikiLeaks on its servers for breaking user rules saying that Websites must use their own content and not carry data that might injure others. The Senate U.S. Homeland Security and Governmental Affairs Committee had also asked Amazon to stop hosting the controversial Web site. Source:

54. December 3, KTLA 5 Los Angeles – (California) Internet restored to majority of Time Warner customers. Time Warner said Internet service has been restored to a “vast majority” of customers who were affected by a statewide outage in California December 2. Around 5 p.m., customers from Northern California to San Diego started reporting problems. Engineers were able to fix the problem just before 8:30 p.m. A company spokesperson apologized for the inconvenience and said the cause of the outage is under investigation. Time Warner Cable is the second-largest cable operator in the United States with more than 14 million subscribers. Source:,0,3027803.story

55. December 2, KHON 2 Honolulu – (Hawaii) Oceanic phone customers experience state-wide service outage. Oceanic telephone customers experienced a state-wide service outage in Hawaii December 2, according to a recorded message on Oceanic’s information line. The recording also said services for some cable television and Internet customers have been affected as well. Customers called into the KHON2 newsroom, complaining their calls to Oceanic were met with a busy signal. Oceanic officials have not said when service will be completely restored. Source:

56. December 1, Softpedia – (International) Polymorphic injection attack targets WordPress blogs. Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at a U.S.-based hosting provider. According to a principal virus researcher at Sophos, the attacks began in the middle of November, and they all seem to affect Web sites running the popular blogging platform. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories. However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique. In the security world this is known as polymorphic code and is used to evade antivirus software and intrusion detection systems. The second step of the attack is to inject code in legit .js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them. Finally, when the obfuscated JavaScript makes it onto the pages parsed by the visitors’ browsers, it generates a hidden element. This element is meant to load malicious content from remote servers in an attempt to infect computers with malware. Source: