Thursday, July 28, 2011

Complete DHS Daily Report for July 28, 2011

Daily Report

Top Stories

• Trusteer reports the SpyEye bank-code stealing botnet doubled in size, reaching financial institutions in many more countries, according to IDG News Service. See item 23 below in the Banking and Finance Sector

• One of two remaining intact levees in Holt County, Missouri, is in danger of collapse and releasing flood waters on the town of Forbes and 10,000 acres of farmland, WDAF 4 Kansas City reports. (See item 61)

61. July 26, WDAF 4 Kansas City – (Missouri) Missouri River still threatens Holt County levees. Water levels along the flood-swollen Missouri River have begun to drop, but danger is not over for parts of northwest Missouri, where flood waters threaten one of two of the remaining intact levees in Holt County, WDAF 4 Kansas City reported July 26. In Fortescue, north of St. Joseph, the population shrunk from 51 to 2 due to flooding. Many corn fields in the area died after being underwater, and the remaining roads are largely unused. Levee Number 7 was in danger of collapse as crews have been working since the weekend of July 23 and 24 to repair a 50-foot hole gouged out by the river, with an additional 300 feet of damage on either side of the hole. The levee is protecting the town of Forbes and roughly 10,000 acres of farmland. "Found it 11 o'clock [July 23] morning, and started delivering rock by 8 o'clock that night," said one levee worker. Truckloads of rock were being dumped into the hole to save the levee. Source:,0,2125788.story


Banking and Finance Sector

19. July 26, Bloomberg – (International) TD Bank sued by trustee liquidating Rothstein law firm. Toronto-Dominion Bank (TD) was sued July 25 by the bankruptcy trustee liquidating Rothstein Rosenfeldt Adler PA for allegedly assisting in a $1.2 billion Ponzi scheme run by the Florida law firm’s former chairman. The chairman pleaded guilty in January 2010 to five counts of racketeering, money laundering, and wire fraud, admitting he sold investors interests in bogus settlements in fake sexual-harassment and whistleblower cases. The bank’s authorized agents let the man use its name, facilities, and accounts to deceive investors, the trustee said. He accused the bank of ignoring “red flags” and letting the lawyer open accounts and transfer ”huge sums” of money among them. “TD Bank played a central role in this massive fraud by giving [his] settlement program the appearance of legitimacy,” the trustee said in a filing July 25 in U.S. Bankruptcy Court in Fort Lauderdale, Florida. The firm collapsed after other attorneys there said they found evidence their chairman was running an illegal side business. TD Bank was a ”linchpin” in the scheme and disregarded numerous red flags, including hundreds of millions of dollars that moved out of law firm trust accounts, investors said in a complaint filed November 2009 in Florida state court. The investors accused the bank of breach of fiduciary duty, aiding and abetting fraud, and negligent misrepresentation. The investors, with more than $150 million in losses, seek “extensive relief” from the chairman and 27 co-conspirator defendants, according to court papers. Source:

20. July 26, Associated Press – (International) Ex-investment manager, known as Wall Street 'bad boy,' convicted of fraud. A former investment manager known as Wall Street's "bad boy" was convicted July 26 of defrauding U.S. and European investors of $140 million, promising them rich returns while blowing their money on a lifestyle that included private jets, home renovations, prostitutes, strippers, and classy London hotels. The verdict convicted him of conspiracy and securities fraud charges. The jury also convicted a co-defendant from Miami, Florida. The convicted fraudster was the former chief executive officer of the brokerage firm Sky Capital, which had offices in London, New York, Florida, and New Jersey. His co-defendant was a senior broker for the firm. The top charge, securities fraud, alone carries a potential sentence of up to 20 years in prison. Prosecutors portrayed the two defendants as con men, saying they capitalized on the excitement over Internet tech stocks by using their broker-dealer operation to solicit private investments in start-ups. Prosecutors said the defendants spent some of the investor money living lavishly with private jets, expensive vacations, fancy cars, and flashy watches. They said the men manipulated the value of stocks they sold to investors by paying brokers 400 percent commissions to promote the stocks. The scheme came to an end when one of the brokers was caught lying to an FBI undercover officer. Source:

21. July 26, KOMO 4 Seattle – (International) Police capture woman wanted in major ATM 'skimming' operation. Police may have cracked part of a major identity theft ring July 24 after a woman was caught placing a card "skimmer" on a bank ATM in Lynnwood, Washington. The 42-year-old woman was booked into jail for investigation of 20 counts of identify theft, and investigators said she is suspected in hundreds of similar cases, and has ties to an international organized crime group. According to court documents, an investigator with Chase Bank spotted the woman placing the skimmer on an ATM. Investigators said security camera video from the ATM showed the woman installing the skimmer. The bank investigator recognized the woman from numerous surveillance videos taken from ATMs affixed with skimmers from California to Mount Vernon, Washington, according to the documents. The woman is also the subject of a federal investigation into skimming and ID theft, and the Secret Service was called to interview her at Lynnwood police headquarters. In a statement of probable cause, police wrote the Secret Service believes the suspect has ties to organized crime in Romania, and is a flight risk if released. Chase has been investigating the woman since February, and has her on video placing skimmers on eight ATMs in the area, the court documents said. Those skimmers allegedly recorded the account information of at least 320 people. The bank investigator estimated the losses from the skimming at about $34,000. Source:

22. July 26, Associated Press – (Connecticut) Conn. man pleads guilty to swindling churchgoers. A Connecticut securities broker pleaded guilty July 26 to charges he swindled investors, including members of a Greek Orthodox church, out of more than $8 million. Federal authorities said the 51-year-old Easton man pleaded guilty to fraud and money laundering charges in U.S. district court in New Haven. Prosecutors said the man convinced officials and some parishioners at St. Barbara Greek Orthodox Church in Orange that he was an investment manager, and misrepresented his successes. Prosecutors have said church members lost retirement and college funds. Authorities said he used the money to support his auto racing businesses, and for personal bills. He will be sentenced in October. Source:

23. July 26, IDG News Service – (International) SpyEye Trojan defeating online banking defenses. Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people's online bank accounts, according to new research from security vendor Trusteer. In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to block fraudulent transactions, said Trusteer's chief executive officer (CEO) Banks are now analyzing how a person uses their site, looking at parameters such as how many pages a person looks at, the amount of time a person spends on a page, and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami, Florida area suddenly logs in from St. Petersburg, Russia. SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the Web site, which provides a key trigger for banks to block a transaction. So SpyEye's authors are now trying to mimic — albeit in an automated way — how a real person would navigate a Web site. Trusteer has also noticed that SpyEye in recent months has expanded the number of financial institutions it is able to target in an increasing number of countries. New target countries include Russia, Saudi Arabia, Bahrain, Oman, Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong, and Peru. What that means is that more criminal groups around the world are purchasing the SpyEye toolkit, Trusteer's CEO said. SpyEye is a botnet with a network of command-and-control servers hosted around the world. As of July 26, 46 command-and-control servers were online, according to SpyEye Tracker, a Web site dedicated to gathering statistics about the malicious software. In May, there were just 20 or so active servers responding to computers infected with SpyEye, said the site's administrator. Source:

Information Technology Sector

48. July 27, H Security – (International) ICQ vulnerable to account theft. In security advisories for ICQ and the ICQ Web site, a security researcher warned that the ICQ instant messenger for Windows and the ICQ Web site contain vulnerabilities that potentially allow attackers to take control of a user's ICQ account. According to the researcher, ICQ does not adequately check user's profile information and fails properly to analyze status messages, which can be freely chosen by users, to see if they contain executable code. He recently discovered a similar hole in the Skype client. If the victim opens the attacker's profile in the ICQ client or on the ICQ Web site, the embedded JavaScript code stored on the ICQ server will be executed. This can allow attackers to steal victims' cookies and take control of their sessions. The script code appears to be executed in a local context: therefore, attackers can potentially also execute applications and read the user's local files. Such an attack is called a persistent cross-site scripting attack; the attacker manages to place JavaScript code on a server that will be executed on the victim's machine when a particular Web site is visited, or a particular application is used. Source:

49. July 27, H Security – (International) Vulnerability in Samba SWAT tool. A cross site request forgery vulnerability and a related cross-site scripting vulnerability in the SWAT administration tool of the Samba SMB/CIFS and Windows interoperability software triggered the release of updates for versions 3.3, 3.4, and 3.5 of the software. With the request forgery problem, an attacker could trick an authenticated user into clicking a manipulated URL on a different Web page and gain control of SWAT. If that user is authenticated as the root user in the system, it is possible to start or stop the service and add or remove shares, printers, or user accounts. The SWAT tool has to be installed and enabled as either a stand-alone server or as an Apache CGI plug-in to be vulnerable. By default, SWAT is neither installed nor enabled. The cross-site scripting vulnerability only exists if the request forgery problem is not fixed, and allows an attacker to insert arbitrary content into the user field of the change password pages of SWAT. Source:

50. July 27, Softpedia – (International) osCommerce mass injection attack infects over 90K pages. Security researchers from Armorize came across a new mass injection attack targeting osCommerce Web sites that has already infected more than 90,000 pages. Attackers began by injecting a hidden iframe pointing to a malicious URL, but later switched to a rogue script element that loads a rogue JavaScript file from an external domain. The injected code does not appear to be obfuscated, so searching for it on Google revealed more than 90,000 hits, indicating the attack is widespread. Both versions of the injection take visitors through several redirects until landing them on a page that loads exploits for vulnerabilities in browser plug-ins and popular applications. This type of attack, known as a drive-by download, is very dangerous because it requires no user interaction and there is usually little to no indication that something malicious has happened. According to the Armorize researchers, this attack exploits vulnerabilities in Java (CVE-2010-0840 and CVE-2010-0886), Adobe Reader (CVE-2010-0188), Internet Explorer (CVE-2006-0003), and Windows XP (CVE-2010-1885). Since these vulnerabilities are relatively old, users who keep their software and operating system up to date should be protected against the attack. Source:

51. July 26, The Register – (International) Kit steals Mac login passwords through FireWire port. Software maker Passware released a program that quickly recovers log-in passwords from Macs, even when running Apple's new OS X Lion, that have been locked, put into sleep mode, or have FileVault disk encryption turned on. Passware Kit Forensic v11 works by capturing a Mac's computer memory over FireWire and extracting any log-in passwords that happen to be stored there. The package takes only a few minutes to work, and can also extract passwords stored on a Mac's keychain. The program exploits the peer-to-peer characteristic of the FireWire design, which allows any connected device to read and write to any other connected device. As a result, anything stored in a Mac's memory is accessible. Source:

Communications Sector

52. July 27, KMTR 16 Springfield – (Oregon) Phone service restored, suspect arrested. A man stealing wire from telephone lines was probably the cause of a telephone outage for about 1,000 residents of the Junction City, Oregon area July 26, according to the Lane County Sheriff’s Office. Phone service was restored by the evening of July 26 for most customers. Around 11:30 p.m., deputies investigating a report of a suspicious vehicle in a remote area of Bureau of Land Management land found a man who was apparently preparing to alter the appearance of some wire to make it easier to sell as scrap. Deputies arrested the 45-year-old man, and he was taken to jail on suspicion of theft, criminal mischief, and possession of methamphetamine. Source:

53. July 26, WKTV 2 Utica – (New York) Severe weather knocks Galaxy radio stations off the air. Galaxy Communications radio stations were off the air due to damage from severe weather the afternoon of July 26 that swept through Oneida County in New York. According to a spokesperson for the group of radio stations, WOUR, WKLL (KRock), WUMX (Mix 102.5), andESPN Radio (WTLB, WIXT, WRNY) were all off the air. It was also reported that Galaxy's facilities on Kellogg Road in Washington Mills suffered minor damage following the storm. The company said that all of their radio stations were expected to return to the airwaves the evening of July 26. Source:

No comments: