Friday, December 10, 2010

Complete DHS Daily Report for December 10, 2010

Daily Report

Top Stories

• The Arizona Republic reports that a new study found Arizona experienced the nation’s worst outbreak of West Nile virus in 2010, accounting for nearly one in five severe cases in the nation. (See item 32)

32. December 9, Arizona Republic – (Arizona) Arizona experiences worst outbreak of West Nile in U.S. A new report shows Arizona experienced the nation’s worst outbreak of West Nile virus during this year’s season, accounting for nearly one in five severe cases. A total of 159 confirmed cases were reported in Arizona through November 30, according to the Centers for Disease Control (CDC) in Atlanta. At least a dozen Arizonans died. State officials updated the count December 2, reporting 163 cases. Arizona had nearly 20 percent of the nation’s neuroinvasive-disease cases. The disease attacks the nervous system and can lead to life-threatening West Nile encephalitis and West Nile meningitis. The spike in Arizona was so severe CDC officials visited in September to study the outbreak. It was mainly concentrated in Gilbert, Chandler, and Tempe, as well as in Pinal County. The CDC is still analyzing the data. Scientists were surprised to see Arizona’s urban desert region lead the nation in cases, considering West Nile was thought to be more prevalent in mosquito-rich environments, the manager for the Arizona Department of Health Services’ vector-borne disease program said. Source:

• Flooding forced the closure of the Panama Canal December 8 for the first time in 21 years, and heavy rains were being blamed for at least eight deaths, according to the Associated Press. (See item 54)

54. December 9, Associated Press – (International) Panama Canal closed for 1st time in 21 years. Flooding forced the closure of the Panama Canal December 8 for the first time in 21 years, and heavy rains were being blamed for at least eight deaths. More than 1,000 people in Panama were evacuated because of what authorities called historic flooding caused by record rainfall. The president said it was the first time the canal was closed because of weather since it opened in 1914. The last time the canal closed was December 20 1989, when U.S. troops invaded the country to topple its president. The country’s civil protection system put eastern Panama on high alert and issued evacuation orders for about 1,500 people in dozens of flooded neighborhoods. About 50 people in two communities were ordered to leave their homes and residents near the Chagres river were told to be on alert. The canal was closed after water overflowed the banks of lakes Gatun and Alajuela, which supply the canal. Authorities said they have opened the floodgates for both lakes. About 5 percent of the world’s naval commerce moves through the canal, and the U.S. is its main user. Source:


Banking and Finance Sector

11. December 9, IDG News Service – (International) Group used 30,000-node botnet in MasterCard, PayPal attacks. PayPal’s Web site was hit December 8 by two botnets as online activists continued their Web attacks on companies that have severed their relationships with WikiLeaks. The activists have recruited volunteers, who have banded their computers into a distributed denial of service (DDoS) botnet, but they are also using hacked machines to carry out these attacks, said a threat researcher at Panda Security. This botnet infects computers via peer to peer filesharing systems, but it can spread via Microsoft Messenger and USB sticks as well, he said. The address was unresponsive into December 9. “There have been attempted DDoS attacks on this week,” said a company spokesman. “The attacks slowed the Web site itself down for a short while, but did not significantly impact payments.” PayPal’s blog had been hit earlier in the week, but the main Web site was down for at least several hours December 8, and was affected too, although less seriously. Unlike Visa and MasterCard, the Web site is critical to PayPal’s business. Customers need the Web site to send money to other PayPal users. Source:

12. December 9, Softpedia – (International) New PayPal phishing campaign in circulation. A new wave of PayPal phishing e-mails carrying a fake form allegedly intended for account information update purposes has been hitting people’s inboxes since December 8. The rogue e-mails purport to come from “” and bear a subject of “Your account has been temporarily limited !” The body contains the PayPal logo and a message instructing users to fill in and submit the attached form. The attached archive is called and contains a file called PayPal.com_Account_Confirmation_Form.pdf.html. The double extension is meant to trick users on operating systems automatically hiding the known file extensions, like Windows Vista and 7, into thinking the file is a PDF document. When opened, the HTML displays a page that mimics the look and feel of the PayPal Web site and displays a form asking for personal and credit card information. The IP address suggests the server where phished information is stored is located in Iran. Source:

13. December 9, Associated Press – (Texas) Four arrested for theft of $100,000 by fraudulent credit card ring. A credit card fraud investigation in the Tyler, Texas, area involving hundreds of accounts has led to the indictment of four suspects over losses topping $100,000. Tyler police said investigators believe the fraud targeted individuals and businesses. Law officers December 8 announced a federal grand jury indicted each suspect on eight counts, including access device fraud and conspiracy. Investigators said one suspect worked at a restaurant and fraudulently obtained hundreds of credit card numbers through an access device. An August 18 search of a Malakoff residence led to the seizure of computers, counterfeit credit card making equipment, and hundreds of bogus cards. Police announced the arrest of three suspects. A fourth was sought. Source:

14. December 8, Computerworld – (International) MasterCard SecureCode service impacted in attacks over WikiLeaks. The attacks against MasterCard by WikiLeaks supporters that knocked the credit card company’s Web site offline December 8 may have caused more problems than previously thought. MasterCard has so far said publicly only that its corporate Web site experienced availability issues as a result of a sustained distributed denial of service (DDoS) attack against the site. In a statement December 8, the company said it was making progress addressing the issue and that no customer transactions were affected. It now appears the company’s Securecode service for secure online transactions was also affected. It is not clear, however, whether the SecureCode problems were caused by Anonymous, the group that knocked MasterCard’s corporate site offline after the attacks began about 4 a.m. In multiple bulletins to transaction processing companies, the company said MasterCard and Maestro transactions could not be processed via SecureCode because of a service disruption to the MasterCard Directory Server. The server has been since failed over to a secondary site, but customers could still experience intermittent connectivity issues, MasterCard said. It did not offer a timetable for when it hopes to restore full service. Source:

15. December 8, Visalia Times-Delta – (California) Tulare bank robbery suspect held. A man who walked into a Dinuba, California Rabobank branch December 7 was detained by police as a suspect in the robbery of another Rabobank earlier that day in Tulare. The robbery, at 9:49 a.m., involved a man with a gun who walked into the bank at 2005 E. Prosperity Ave. in the Market Place shopping center. Police reported the robber was well-dressed with a goatee, 6 feet tall, weighing about 200 pounds. He approached a teller and demanded money. After getting the money, the robber — wearing a casual dress jacket, a turtleneck shirt, dress pants, and a driving cap — walked out. In the parking lot, he got into a blue Mazda 3 sedan and drove away, said a Tulare police sergeant. At about 4 p.m., Dinuba police received a report a man matching the description of the robber walked into the Rabobank at 130 E. Tulare St. Although the man did not attempt to rob that branch, “The tellers saw him and he matched the pictures” circulated by the bank of the Tulare robber, a Dinuba police sergeant said. Source:

16. December 7, Softpedia – (National) Chase merchant customers targeted in new phishing campaign. Security researchers warn of a new e-mail phishing campaign targeting customers of JPMorgan Chase’s payment processing and merchant services, Chase Paymentech. According to researchers from messaging security company AppRiver, the e-mails began hitting people’s in-boxes at an aggressive rate December 7. The message claims account information must be updated and provides users with a link to a phishing page. The page is hosted on domains of the form, whose names are close to the real A message on the fake page reads: “Welcome back! You may notice some changes to your login page, but your login process is still the same. We have made updates on our end in order to ease usability and maximize functionality.” If users input their usernames and passwords, they are taken to a form that asks for a wealth of personal information. Since Chase Paymentech is the payment processing and merchant services arm of JPMorgan Chase, it means that unlike most phishing attacks, this one targets businesses. Source: 17. December 7, Daytona Beach News-Journal – (Florida) Police: Career robber picks Daytona Beach bank. A career bank robber with a sudden penchant for Daytona Beach, Florida, tried to rob the Wachovia Bank on West International Speedway Boulevard December 7, police said. The suspect, who was released from federal prison in Marion County 11 days ago, arrived in the city December 3. The robbery suspect entered the Wachovia across the street from Mainland High School, and told a bank official he had a bomb in his briefcase, police said. The robber presented the bank employee with a three-page letter. While he was talking to the employee though, a teller on break in another room, overheard the entire conversation and called 9-1-1. When police arrived at the bank just before 11 a.m., they met the suspect as he was walking out the front door with a satchel filled with money in hand. Source:

Information Technology

42. December 9, Help Net Security – (International) Fake Facebook toolbar leads to malware. A new e-mail campaign initiated by spammers tries to take advantage of Facebook changes and lure users into downloading malware. This latest spam run offers a “Facebook toolbar”. If the e-mail looks familiar, it is because it is identical to one used in a spam campaign more than half a year ago, when the offered file presented a veritable jumble of incongruous information. This time, the “Download Here” button takes the victim to a Web site where an automatic download of a file called fb.exe is started. According to Trend Micro researchers, it contains several component files, among which is a backdoor Trojan that installs an IRC client on the infected machine. Source:

43. December 9, IDG News – (International) Fake receipt program targets Amazon retailers. Amazon retailers are being targeted by fraudsters who have created a custom-built program that generates fakes receipts for nonexistent orders, according to researchers from GFI Software. The program is designed to create a customized HTML file that closely resembles an actual receipt, wrote the senior threat researcher. A fraudster can fill out the date, item, price, order number, and address among other information. Users also have the option of selecting specific Amazon portals, including “.com,” “,” “.fr,” and “.ca.” When the “generate” button is clicked, a file is placed in the computer’s program folder which is nearly identical to the “printable order summary” on a legitimate receipt. The scam relies entirely on social engineering, with the fraudster hoping a vendor will be tricked into thinking a product was sold. Source:

44. December 9, Softpedia – (International) Firefox and Opera drop WebSocket support over security issues. Mozilla and Opera developers plan to disable WebSocket support in Firefox 4 and Opera 11 because the protocol has been proven vulnerable to attacks. The security issue was discovered by researchers and was documented in a paper released at the end of November. The attacks are the result of transparent proxies not properly understanding the semantics of the Upgrade-based WebSocket handshakes and treating the final bytes as valid HTTP requests. “This is a serious threat to the Internet and Websocket and not a browser specific issue. The protocol vulnerabilities also affect Java and Flash solutions,” wrote a Mozilla Developer Evangelist on the Mozilla Hacks blog. “In a web environment that could for example mean that a widely used JavaScript file – like Google analytics – could be replaced on a cache you go through with a malware file,” he explained.


45. December 9, PRWeek – (International) Twitter and Facebook shut down hackers. Facebook and Twitter were the latest organizations to find themselves in the middle of the WikiLeaks saga. Hackers used the two social media outlets December 8 to organize attacks on companies that severed relationships with WikiLeaks. MasterCard, Visa, and PayPal sites were all attacked. Facebook was the first to respond by banning one of the pages of “Operation Payback.” Twitter later disabled the Operation Payback account. The dilemma highlights the push and pull between free speech and business interests as the two social media companies look to implement advertising business models. Facebook issued a statement that said it will “take action on content that we find or that’s reported to us that promotes unlawful activity.” A Twitter spokesman said it does not comment on specific actions related to user accounts. Source:

46. December 8, Computerworld – (International) Feds charge two EMC employees with stealing more than $1M in equipment. Federal prosecutors charged two men December 8 with stealing more than $1 million in high-tech equipment from EMC facilities in Massachusetts and North Carolina and trying to sell it over the Internet. Prosecutors charged one individual, 33, from North Carolina, and another, 47, from Brockton, Massachusetts, as well as a Hanover, Massachusetts, company called BL Trading LLC with wire fraud and with selling, receiving, or transporting stolen property in interstate commerce. The individual from North Carolina was also charged with aggravated identity theft. BL Trading is a 23-year-old computer equipment reseller that, in addition to working with other vendors, distributes EMC storage hardware and software products. Its Web site states it has “the largest inventory of pre-owned [EMC] Clariion parts in the Northeast.” Clariion is EMC’s midrange line of data storage systems. BL Trading also resells products for Dell, Hewlett-Packard, IBM, Brocade Communications Systems, QLogic, and Emulex. Source:

47. December 8, Softpedia – (International) Instant messaging worm can speak many languages. Security researchers from Symantec warn a new worm spreading via instant messaging applications is capable of targeting users in 20 different languages. The code of the worm, which is detected as W32.Yimfoca.B, contains a routine that checks for the location of the user and sends spam in the appropriate language. If the location scan result is not on a hardcoded list of 44 countries, the malware falls back to English messages, which can read “seen this? [link]” or “this is the funniest photo ever! [link].” In addition to spreading by spam through Google Talk, ICQ, MSN Messenger, Paltalk, Skype, Xfire, or Yahoo! Messenger, the worm also infects removable USB drives inserted into the computer. The malware installs itself under Application Data as a file named jutched.exe, a slight name variation from jusched.exe, the legit Java update scheduler component. The worm is used as a distribution platform for other malware, possibly as part of a pay-per-install scheme, so users who fall victim to the IM social engineering attacks, will likely have multiple malware infections. Source:

Communications Sector

48. December 8, WEWS 5 Cleveland – (Ohio) Power hit takes WEWS NewsChannel5 off the air. A power outage at the WEWS NewsChannel5 studios in Cleveland, Ohio, knocked the station off the air December 8. The power hit happened at about 5:02 p.m. The station’s engineers worked to get everything back online by about 5:07p.m. It is not clear yet whether weather caused the outage, but the issue appears to be isolated to the WEWS studios at East 30th Street and Euclid Avenue. The signal and power were restored about 15 minutes later. Source:

49. December 8, Softpedia – (International) Vulnerable shared hosting platforms responsible for most BHSEO compromised Websites. An analysis of compromised Web sites used in black hat SEO campaigns, performed by cloud security vendor Zscaler, suggested weaknesses in share hosting platforms are the most common attack vector. The Zscaler researchers inspected about 1,100 Web sites hijacked by spammers and used to redirect visitors to scareware Web sites. Such compromises usually result in rogue PHP pages with content related to hot search topics, being uploaded on the Web servers. These pages get indexed by search engine crawlers and appear in search results, however, when users try to visit them, they get redirected to malicious sites pushing fake antivirus software. When looking at the compromised Web sites, the researchers were surprised to find that only 15 percent of them were built using popular open source content management solutions like WordPress, Joomla!, or osCommerce. In fact, many were static Web sites created with plain HTML, JavaScript, and images. Under these circumstances, the possibility of them being hacked via SQL injection or other vulnerabilities that require server-side scripting is out of the question. Other possible methods are compromised FTP credentials, lifted from computers infected with malware, or weaknesses on shared hosting servers, that allow, for example, neighborhood spying. “The second possibility is the most likely. There have been mass-infections reported in the past for GoDaddy, BlueHost, Dreamhost, etc.,” a senior security researcher at Zscaler wrote. Source: