Monday, April 4, 2011

Complete DHS Daily Report for April 4, 2011

Daily Report

Top Stories

• Associated Press reports a U.S. Congressman said Mexican drug cartel members threatened to kill U.S. agents working on the American side of the border in March. (See item 44)

44. March 31, Associated Press – (International) Texas rep says drug cartels threatening US agents. Mexican drug cartel members threatened to kill U.S. agents working on the American side of the border in March, a U.S. Congressman from Texas said March 31. The Republican said a law enforcement bulletin was issued in March warning that Mexican gangsters were overheard plotting to kill Immigration and Customs Enforcement agents and Texas Rangers stationed along the border. The Congressman did not identify which cartels or what agency issued the bulletin. The executive director of the Texas Border Sheriff’s Coalition, said threats against American law enforcement officials along the border are nothing new. The latest bulletin warned of a plot to shoot at the agents with AK-47 assault rifles from the Mexican side of the border into the United States. The executive director said he could not comment on the specific threat the Congressman mentioned, but said it was proof that a serious security threat remains along the border. Members of Congress have asked the Presidential administration to get what they call “operational control” of the Mexican and Canadian borders. But they define that as meaning no “unlawful entries into the United States,” including drugs, terrorists, and illegal immigrants, a definition DHS has said is unrealistic. Source:

• According to TG Daily, more than 1 million Web pages have been compromised by a cyberattack that suddenly ramped up in 1 day to become one of the biggest mass-injection attacks ever seen. (See item 45 below in the Information Technology Sector


Banking and Finance Sector

15. April 1, Associated Press – (Florida) SEC claims Fla. couple ran $30M Ponzi scheme. The Securities and Exchange Commission (SEC) claims in a lawsuit a Florida couple ran a $30 million Ponzi scheme involving fake foreign currency investments. The SEC lawsuit was filed the week of March 28 in federal court in Fort Lauderdale against the two suspects. They ran a group of companies under the name MRT or Maximum Return Transaction. SEC said the couple told investors their money was used to trade in foreign currency or invest in foreign products. Instead, the lawsuit said most of the money went to pay off older investors in classic Ponzi fashion or fund a lavish lifestyle for the couple. SEC is seeking to force the couple to forfeit ill-gotten gains. Source:

16. March 31, Burlington County Times – (Ohio) Suspected bank bandit arrested in Burlington City. A man suspected of robbing several Ohio banks was arrested in Burlington City, New Jersey, minutes after the FBI had notified the department the suspect was possibly in the area, police said. According to investigators, the 38-year-old man of Hamilton, Ohio, was wanted by the FBI and Ohio authorities for 4 bank robberies. The FBI notified Burlington City police March 31 the man, who has family in the county, was believed to be in the area. A short time later, officers with the department’s special enforcement unit spotted the suspect at a bus stop at the corner of West Federal and High streets and took him into custody without incident. The man, who was believed to have traveled to the city from Camden, was found in possession of an undisclosed amount of heroin and a hypodermic needle, police said. He was charged with drug and paraphernalia possession and was placed in Burlington County Jail in Mount Holly pending extradition proceedings. His bail was set at $100,000. Source:

17. March 31, Federal Bureau of Investigation – (National) Former TBW financial analyst pleads guilty in $1.5 billion fraud scheme. A former senior financial analyst at Taylor, Bean and Whitaker (TBW), pleaded guilty March 31 to conspiring to commit bank and wire fraud for his role in a scheme that defrauded approximately $1.5 billion from financial investors in TBW’s mortgage lending facility, Ocala Funding. The 37-year-old analyst, of San Antonio, Texas, pleaded guilty in the Eastern District of Virginia. He faces a maximum penalty of 5 years in prison when he is sentenced June 21. According to a statement of facts submitted with his plea agreement, in 2005 TBW established a wholly owned lending facility called Ocala Funding. The facility was managed by TBW. The man had tracking and reporting responsibilities with respect to Ocala, and he admitted that from 2006 through August 2009, he and other co-conspirators engaged in a scheme to mislead investors and auditors as to the financial health of the lending facility. According to court records, shortly after Ocala was established, he learned there were inadequate assets backing its commercial paper. He tracked this deficiency, which was referred to internally at TBW as a “hole” in Ocala. He reported the status of the “hole” to senior TBW executives, including its CEO and CFO. He was also aware TBW co-conspirators were improperly transferring hundreds of millions of dollars from Ocala to TBW accounts. At the time TBW ceased operations, the hole was about $1.5 billion. He admitted he prepared documents that inaccurately and intentionally inflated figures representing the aggregate value of the loans held in Ocala, or under-reported the amount of outstanding commercial paper. He sent this false data to investors, other third parties, and an outside audit firm. Source:

18. March 31, Springfield Connection – (Virginia) Springfield loan officer charged in mortgage-fraud scheme. A 48-year-old Springfield, Virginia man was arrested March 25 and charged with conspiracy to commit mortgage-fraud involving about 15 homes in the Northern Virginia area. According to court documents, the total amount of loans approved exceeded $6.5 million. According to the 5-count federal indictment returned March 24, he is charged with engaging in a conspiracy to defraud financial institutions into making fraudulent loans and profiting from salary, commissions, bonuses and incentives. The conspiracy allegedly involved four loan officers and two loan officer assistants, previously employed in the Falls Church, Virginia branch of SunTrust Mortgage, who prepared and approved fraudulent loan applications. The indictment alleged the suspects prepared and submitted false, fraudulent and misleading loan applications for unqualified buyers — individuals who lacked the finances, credit rating, or legal status to obtain a certain loan amount. The fraudulent applications contained false data regarding the applicant’s employment, income, assets, immigration status, and intent to live in the property as a primary residence. Source:

19. March 31, Gulf Coast Business Review – (Florida) Orion Bank’s Williams indicted. Prosecutors unveiled a federal grand jury’s indictment of the former chairman, CEO, and president of Orion Bank in Naples, Florida, charging him with bank fraud and deceiving state and federal bank examiners. Before regulators shut it down in late fall 2009, Orion was the second-largest bank headquartered on the Gulf Coast. The grand jury indicted the man on 13 counts, including bank fraud, misapplication of bank funds, making false bank entries, making false statements, and wire and mail fraud. The indictment alleged the man orchestrated a complex scheme in 2009 to fraudulently raise capital and falsify bank records to mislead regulators as to the true financial condition of the bank. Source:

20. March 29, Greenwich Time – (Connecticut) Guilty plea in Fairfield County ATM-skimming scheme. A Queens, New York, woman arrested last year for her part in a widespread ATM scam affecting parts of Fairfield County, Connecticut, pleaded guilty March 28 in U.S. District Court to one count of conspiracy to commit bank fraud. The 22-year-old entered the plea before a United States District Judge. She faces up to 30 years in prison and a fine of up to $1 million. Her plea came a week after a man believed to be at the center of the plot was indicted. The 33-year-old man, also known as “Tarzan,” was charged the week of March 21 with one count of conspiracy to commit bank fraud, four counts of bank fraud and four counts of aggravated identity theft. Federal officials believe the man and woman, and two other women, conspired to install “skimming” devices at ATM and card-swipe access devices used by banks to control access to ATM lobby doors. The group targeted People’s United Bank locations in Connecticut, including in Darien, Stamford, and Greenwich. The three women in the plot were arrested by the Connecticut Financial Crimes Task Force April 22, 2010 outside a Darien shopping center, where they were attempting to make withdrawals using bank account information they obtained from skimming operations set up throughout the region. Federal authorities said the man who masterminded the plot directed the women to use a PIN-capturing device at a People’s in Cos Cob in March 2010 to create counterfeit bank cards that allowed them to withdraw funds from accounts. Source:

Information Technology

45. April 1, TG Daily – (International) Mass injection attack hits a million websites. More than 1 million URLs were compromised by a cyberattack that has suddenly ramped up in the last 24 hours to become one of the biggest mass-injection attacks ever seen. The trojan, dubbed Lizamoon, redirects Web surfers to a fake antivirus Web site via malicious JavaScript code injected into Web pages. Discovered March 30, it has escalated rapidly. Around half the victims appear to be located in the United States. A number of iTunes pages appear to be affected, although the way these pages are set up prevents the code from automatically executing on users’ computers. Security firm Websense said it has detected a number of other injected URLs on top of the original Lizamoon, meaning the attack is even bigger than first thought. “The Rogue AV software that is installed is called Windows Stability Center, and the file that is downloaded is currently detected by 13/43 anti-virus engines, according to VirusTotal,” Websense said. The affected sites appear to be using Microsoft SQL Server 2003 and 2005; probably not because of a vulnerability in SQL Server itself, noted Websense, but because of weaknesses in the content management systems the sites are using. Source:

46. April 1, Softpedia – (International) VMware fixes local privilege escalation vulnerability in Linux products. VMware has released security updates for its VMware Workstation and VMware VIX API products to address a local privilege escalation vulnerability. The flaw, identified as CVE-2011-1126, is located in the vmrun utility which is used to perform tasks on virtual machines. Since vmrun is a Linux-only utility, only Linux versions of VMware Workstation and VMware VIX API are vulnerable. The vmrun utility requires the VIX libraries and is installed by default by VMware Workstation, but its exploitation requires a non-standard filesystem configuration. “In non-standard filesystem configurations, an attacker with the ability to place files into a predefined library path, could take execution control of vmrun,” the vendor explained in its advisory. Source:

47. March 31, Infosecurity – (International) Vulnerability disclosures reach highest level in history, says IBM. Vulnerability disclosures increased 27 percent in 2010, reaching their highest level in history, according to the IBM X-Force 2010 Trend and Risk Report. The increase has had a “significant impact” on IT professionals managing large IT infrastructures, according to the IBM report. Close to half of vulnerability disclosures in 2010 were Web application flaws, mostly resulting from cross site scripting and SQL injections. These two methods were also cited in the 2009 report as the most popular for exploiting Web application flaws. IBM X-Force said many exploits are publicly released months after the public disclosure of the vulnerabilities they target, suggestingattackers are able to use exploit code after patches have been made available. The SQL Slammer worm, which first emerged in January 2003, continues to be the most common source of malicious Internet traffic, the report said. The use of the term “advanced persistent threat” became widespread in 2010, after high-profile attacks on corporate enterprises by sophisticated targeted attackers. In addition, botnet activity continued to grow in 2010. Source:

48. March 31, CNET – (International) Phishing scam masquerades as Adobe upgrade. Phishers are using spam that tries to trick people by offering an upgrade to Adobe Acrobat. Detailed by security provider Cloudmark, this type of advertising spam e-mails users a notice to upgrade to the new Adobe Acrobat Reader. Those who click on the link are directed to a Web site touting the benefits of the software. The Web site domain name contains the word “adobe,” said Cloudmark, as an attempt to give it some kind of legitimacy. However, it is just another malicious site designed to capture personal information. Once on the phony site, the user is prompted to provide contact details and credit card information, which then fall into the hands of cybercrooks. Source:

49. March 31, Help Net Security – (International) Vulnerabilities in common Web applications escalate. A new Cenzic report reveals widespread Web application vulnerabilities, with 2,155 discovered — a third of which have both no known solution and an exploit code publicly available. The report also revealed aggressive campaigns by Web browser makers including Google, Microsoft, and Mozilla to improve the security of their Web navigation products. Among the published Web vulnerabilities in Commercial Off The Shelf (COTS) software, Cross Site Scripting (XSS) and SQL injection dominated, accounting for 54 percent of the total number of Web vulnerabilities in the second half of 2010. Cenzic also analyzed vulnerabilities in various Web browsers, detecting many security vulnerabilities yet aggressive campaigns by manufacturers to improve their safety. Google’s Chrome browser had the most vulnerabilities detected –- 89 –- due to its aggressive campaign to offer cash rewards for any discovered. In the end, the company fixed 88 of the vulnerabilities quickly and efficiently, the report noted. Source:

Communications Sector

50. March 31, Channel Partners – (National) Responding to network attack, TelePacific agents reach out to customers via Twitter, Facebook. The power of social media was on display the week of March 21 when TelePacific Communications, a Los Angeles, California-based phone service provider suffered an external network attack that left most of its “SmartVoice” customers without the ability to make and receive calls. A TelePacific spokeswoman credited TelePacific’s agents for responding to customers on the company’s Facebook and Twitter pages while also keeping their customers apprised of the situation via e-mail. “Since the outage they [agents] have been instrumental in minimizing customer concerns by proactively addressing our mutual customers,” the spokeswoman said. Individuals who have addressed customer issues have included agent managers and directors as well as TelePacific’s CEO ,and the company’s channel chief, the spokeswoman said. “We proactively reached out to all of our top agents along with many subs to address concerns head on and again have been truly thankful for their positive responses to TelePacific on the heels of the attack,” she said. In a letter sent to SmartVoice customers, the TelePacific CEO said the “unprecedented attack” on the network occurred March 24 and March 25. The company has engaged the FBI’s cyber attack division to attempt to identify the source of the attack, he said. Source: