Tuesday, April 12, 2011

Complete DHS Daily Report for April 12, 2011

Daily Report

Top Stories

• According to the Associated Press, the U.S. government has prevented more than 350 people suspected of ties to al-Qaida and other terrorist groups from boarding U.S.-bound commercial flights since the end of 2009. (See item 18)

18. April 11, Associated Press – (International) US blocks 350 suspected terrorists from planes. The U.S. government has prevented more than 350 people suspected of ties to al-Qaida and other terrorist groups from boarding U.S.-bound commercial flights since the end of 2009, the Associated Press (AP) has learned. The tighter security rules — imposed after the attempted bombing of an airliner Christmas 2009 — reveal a security threat that persisted for more than 7 years after the September 11th attacks. Until then, even as commercial passengers were forced to remove their shoes, limit the amount of shampoo in their carry-on luggage and endure pat downs, hundreds of foreigners with known or suspected ties to terrorism passed through security and successfully flew to the United States each year, U.S. officials told AP. The government said these foreigners typically told customs officers they were flying to the U.S. for legitimate reasons such as vacations or business. Security practices changed after an admitted al-Qaida operative from Nigeria was accused of trying to blow himself up on a flight to Detroit, Michigan. Until then, airlines only kept passengers off U.S.-bound planes if they were on the no-fly list, a list of people considered a threat to aviation. Now before an international flight leaves for the United States, the government checks passengers against a larger watch list that includes al-Qaida financiers and people who attended training camps but are not considered threats to planes. The government was checking this list before, but only after the flight was en route. If someone on the flight was on the watch list, the person would be questioned and likely refused entry to the country after the plane landed. The new policy has not turned the 450,000-person terror watch list into the no-fly list. Simply being on the terror watch list does not mean a person won’t be allowed to enter the United States. Source: http://www.msnbc.msn.com/id/42529687/ns/us_news-security/

• HealthcareInfoSecurity.com reports two medical office assistants and a school board employee stole personal patient and teacher data, which were then used to commit $1.2 million in fraud. (See item 38)

38. April 8, HealthcareInfoSecurity.com – (Florida) ID theft ring leads to HIPAA charges. Two of 12 people indicted April 5 in a Florida identity theft and bank fraud scheme were charged with criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. The two defendants worked as office assistants at two medical offices in Coral Springs and Fort Lauderdale, according to the U.S. Attorney for the Southern District of Florida. They allegedly stole patient identification information, including Social Security numbers, and sold it to three other defendants in the case. If convicted of the HIPAA violations, the two defendants face a maximum term of 10 years in prison. The Florida case also involves an employee of the Broward County School Board who allegedly stole teachers’ personal data and sold it to other defendants. The defendant was the organizer of the identity theft ring and allegedly used all the stolen information to add himself and others as authorized users of victims’ credit card and bank accounts, according to the indictment. Defendants then depleted the bank accounts and incurred credit charges, committing a total of more than $1.2 million worth of fraud, authorities said. All the defendants were charged with conspiracy to commit bank fraud and could face a maximum prison sentence of 30 years on that charge. They also were charged with conspiracy to commit access device and identity theft. Four defendants could receive additional prison sentences if convicted of substantive counts of access device fraud. Source: http://www.healthcareinfosecurity.com/articles.php?art_id=3521

Details

Banking and Finance Sector

14. April 11, UK Register – (International) Corrupt bank worker jailed over Trojan-powered tax scam. A former business manager at a London, England bank who participated in a 3.2 million pound self assessment tax fraud was jailed for 3 years and 3 months April 8. The business manager and a conspirator worked together to register over 1,050 fictitious taxpayers on Britain’s income tax self assessment system. The pair claimed fraudulent tax refunds under assumed names before laundering the proceeds of the scam via 200 fraudulent bank accounts. Personal details needed to pull off the racket were extracted from the computers of consumers using an unspecified computer virus. The scam netted 3.2 million pounds between January 2008 and September 2010 when the racket was uncovered following a lengthy investigation by HM Revenue & Customs. The court said that the manager “had abused his position with the bank” as part of a “sophisticated and orchestrated fraud”. Source: http://www.theregister.co.uk/2011/04/11/virus_powered_tax_scam/

15. April 11, IDG News Service – (International) UK police arrest three men over ‘SpyEye’ malware. British police arrested three men April 8 in connection with using the SpyEye malware program to steal online banking details. Two of the men were charged on April 8 and appeared in Westminster Magistrates Court in London April 9. Police said the three were arrested by the police central e-Crime unit “in connection with an international investigation into a group suspected of utilizing malware to infect personal computers and retrieve private banking details.” The investigation began in January and revolved around the group’s use of a uniquely modified variation of the SpyEye malware, which harvests personal banking details and sends the credentials to a remote server controlled by hackers, police said. As part of their investigation, police also seized computer equipment and data. Security analysts have kept watch on the SpyEye malware for some time. Some said it shares code with Zeus, widely considered the reference in banking malware. Zeus is designed to evade security software, grab online banking credentials, and execute transactions as people log into their accounts. Source: http://www.computerworld.com/s/article/9215682/UK_police_arrest_three_men_over_SpyEye_malware

16. April 9, Stamford Connecticut Patch – (Connecticut) Another suspect admits to ATM skimming scam in Stamford, Cos Cob. Another Romanian citizen has pleaded guilty April 8 in connection with an ATM skimming scheme that involved ATMs in Cos Cob, Connecticut. A U.S. Attorney announced the suspect pleaded guilty April 9 before a U.S. district judge in Hartford to one count of conspiracy to commit bank fraud. The charge stems from the suspect’s participation in an ATM “skimming” scheme. According to court documents and statements made in court, the suspect and others conspired to install “skimming” devices on ATMs and on card swipe access devices used by banks to control access to ATM lobby doors, at People’s United Bank locations in Connecticut. The devices were able to capture the information encoded on the magnetic strips of bank cards used by ATM customers. The co-conspirators also are accused of placing devices on the ATMs that contained hidden pinhole cameras, positioned in such a way as to be able to record the personal identification numbers that bank customers keyed into the ATMs to gain access to their accounts. The co-conspirators then used this stolen data to create counterfeit bank cards that allowed them to withdraw funds from the customers’ accounts. The suspect is to be sentenced June 24, and faces a maximum term of imprisonment of 30 years, and a $1 million fine. Source: http://stamford.patch.com/articles/another-suspect-admits-to-atm-skimming-scam-in-stamford-cos-cob

17. April 8, Edina Patch – (Minnesota) Edina woman linked to $3.65 billion ponzi scheme pleads guilty. A 43-year-old Edina, Minnesota woman pleaded guilty April 8, in federal court to playing a role in a $3.65 billion Ponzi scheme. The woman admitted she aided and abetted criminal activity by concealing information from investors regarding the purchase and sale of securities from September 2007 through September 2008. She entered a guilty plea to one count of securities fraud and one count of providing false statements to a government agent before a U.S. district court judge. The woman served as vice president of special operations and later as managing director of finance with Arrowhead Management, which operated three hedge funds that almost exclusively invested in Petters Company, Inc. (PCI) promissory notes. The man who owned and operated PCI was sentenced to 50 years in federal prison in April 2010 for heading up the scheme. The woman admitted in court she and others hid information from investors that millions of dollars in PCI notes held by Arrowhead were on the verge of going into default. During the life of the hedge fund, investors reportedly contributed more than $387 million, with Arrowhead obtaining about $35 million in fees from the fund. She faces a potential maximum penalty of 5 years in prison for each charge. Source: http://edina.patch.com/articles/edina-woman-linked-to-365-billion-ponzi-scheme-pleads-guilty

Information Technology

45. April 11, Softpedia – (International) Notorious Facebook worm has gone silent. The Koobface social networking worm seems to have stopped spreading on Facebook. According to experts from FireEye, which noticed the unusual change in behavior, the last time Koobface was seen spreading on the world’s largest social network was February 13. “All of a sudden, we saw bot herders are no longer instructing zombies to post fake messages to compromised Facebook accounts. Our first impression was it’s just a temporarily move, but a continued silence for about two months is not something that can be ignored,” a FireEye security research engineer said. Koobface is one of the oldest and most successful social networking worms. It was originally created for MySpace, but later evolved to target many sites, including Facebook, Twitter, hi5, Bebo, and Friendster. The worm uses social engineering to lure users onto fake YouTube pages that distribute a copy of the malware as a video codec or Flash player update. Koobface has usually been used for spamming and installating additional threats on infected computers, possibly as part of a pay-per-install scheme. According to FireEye’s security research engineer, the activity is continuing at the moment, so the worm is not dead. It just stopped spreading on Facebook. “Koobface C&Cs [command and control servers] are very much alive. We observed around 153 live C&Cs during the last 7 days,” the researcher said. FireEye believes the worm might have stopped spreading on Facebook because it drew too much attention to itself. Source: http://news.softpedia.com/news/Notorious-Facebook-Worm-Has-Gone-Silent-194162.shtml

46. April 11, Softpedia – (International) Scareware adopts SMS payments. According to security researchers, some scareware programs have begun featuring SMS payments, a method more commonly seen in ransomware scams. Traditionally, payment is done via credit card. However, with people’s increasing reluctance to use credit cards on unknown sites and the diminishing number of payment processors friendly to cyber crime, scareware pushers are looking into other methods. According to antivirus vendor CyberDefender, cyber criminals are experimenting with SMS payments, along with WebMoney, paid calls, or RUR Vkontakte. One scareware variant that poses as antivirus solutions from Avast, Norton, McAfee, BitDefender, or RootKitBuster, allows users to select their country and asks them to send an SMS with a special activation code to a short number. CyberDefender’s threat research director told CNET this variant is being distributed from malicious links inserted in search results for trending topics, in what is known as black hat SEO. Source: http://news.softpedia.com/news/Scareware-Adopts-SMS-Payments-194163.shtml

47. April 11, H Security – (International) A new security flaw hits VLC. Following on a S3M vulnerability in the VLC media player the week of April 3, a new advisory warns of a buffer overflow when playing MP4/MPEG-4 files.The bug requires that a user open a specially crafted MP4 file. According to Secunia, the vulnerability is found in the MP4_ReadBox_skcr() function in the demultiplexer and is rated as “highly critical”. All versions from 1.0.0 to 1.1.8 are affected by the problem. Corrections have been applied to the source code tree and the issue will be resolved in VLC media player 1.1.9 when it is released. Source: http://www.h-online.com/security/news/item/A-new-security-flaw-hits-VLC-1225820.html

48. April 8, Help Net Security – (International) Uptick in rogue Facebook applications. GFI Software announced the top 10 most prevalent malware threats for the month of March 2011. GFI researchers found the Japanese tsunami, earthquake, and subsequent nuclear disasters led to a high volume of cyber attacks. “In March, we saw an apparently endless collection of scams related to the earthquake and tsunami in Japan, including fake donation Web sites, Facebook clickjacking and 419 spam e-mails (otherwise known as advance-fee frauds, where the target is fraudulently persuaded to advance sums of money). In addition, we also observed search engine poisoning involving radiation levels that sent people to malware sites,” a senior threat researcher at GFI Software said. March also saw many other forms of attack, including numerous rogue Facebook applications, ransomware, and fake antivirus programs and system defragmenters. Scammers also started with SEO poisoning related to printable Easter cards and Skype calls from individuals who attempt to have their victim visit a URL that promotes a fake antivirus program. GFI statistics showed Trojans made up 7 of the top 10 malware threats of the month. Trojans detected as Trojan(dot)Win32(dot)Generic!BT (a generic detection that encompasses a broad array of trojans) continue to be the number one threat, accounting for about 20 percent of total malware found. Source: http://www.net-security.org/malware_news.php?id=1687

49. April 7, Help Net Security – (International) Privacy violations by popular mobile apps under investigation. An ongoing grand-jury investigation has revealed that many mobile applications could be sending user information to advertising networks without the users’ knowledge and permission. The investigation was prompted by a report published by the Wall Street Journal last December, which presented the result of an analysis of 101 applications for the iPhone and Android-powered mobile phones: 56 transmitted the devices’ unique identifiers, 47 relayed the phone’s location, 5 sent out the users’ age, gender, and other personal details, and 45 did not even offer a privacy policy. According to the Wall Street Journal, Pandora Media — the owner of the popular online music service — has admitted to having been served a subpoena related to the investigation. The Journal’s own testing found the iPhone and Android versions of Pandora’s app send out all of the data mentioned in the preceding list. The company claims they have been told the subpoena has been issued “on an industry-wide basis to the publishers of numerous other smartphone applications” and that Pandora was not “a specific target.” The Journal contacted other creators and/or owners of popular apps and asked them if they had received the same subpoena. Some confirmed, others denied, and others declined to comment. Threatpost reported research by security firm Veracode confirmed Pandora’s app sent personal data, and the researchers found libraries for five different ad networks embedded in it. “The data included both the owner’s GPS location, and gender, birthday, and postal code information,” Threatpost said. “There was evidence that the app attempted to provide continuous location monitoring — which would tell advertisers not just where the user accessed the application from, but also allow them to track that user’s movement over time.” Source: http://www.net-security.org/secworld.php?id=10868

For more stories, see items 14 and 15 above in the Banking and Finance Sector

Communications Sector

50. April 11, CyberMedia India Online Limited – (International) 7,000 mobile phones hacked in Britain. Nearly 7,000 mobile phones, including those of a British actress and former British culture secretary, were hacked by a British tabloid, a lawyer has claimed. The lawyer, who is representing several of the celebrities involved said 7,000 people may have had their mobile phone voicemail messages intercepted by The News of the World. The daily has now apologized to the victims, saying, “We publicly and unreservedly apologize to all such individuals. What happened to them should not have happened. It was and remains unacceptable.” The hacking took place between 2004 and 2006, the Daily Express reported. The lawyer said her clients will not accept a settlement from the newspaper until they have received full disclosure. “What we have at the moment is an apology and an admission. We haven’t even got near the truth yet,” she said. “If you hack into one person’s phone, you have access to everyone who has left a message for them. And then if you go into the person who has left a message, you get all of theirs. A cabinet minister described the phone hacking as “outrageous”, while London’s mayor called on all newspaper editors to declare any hacking carried out by their staff. Source: http://www.ciol.com/Global-News/Global-News/News-Reports/7000-mobile-phones-hacked-in-Britain/148638/0/

51. April 9, International Business Times – (International) DDoS attacks grow in sophistication. In the wake of the attacks by the hacker collective Anonymous on Sony and on Livejournal, more attention has been focused on just what such attacks mean and how to defend against them. Most attacks on the Web come as distributed denial of service attacks, or (DDoS). The most common form is making too many requests of a server for it to handle at once. By flooding a server with data packets, one can essentially shut it down, making it inaccessible to other users. To set one up requires a large number of computers, and a simple way to do it is to send out a piece of software — usually a virus or Trojan to unsuspecting users whose computers mount the attack without them knowing. Such a network is called a botnet. Another method is to enlist the help of others voluntarily. The Low Orbit Ion Cannon (LOIC) is a piece of software that can target a Web site but it has to be run by a user helping mount a DDoS. LOIC was originally a stress-testing tool for system administrators. Such attacks are not too difficult to defend against, a director of security products at Radware said. That is because any attack that depends on simply sending lots of data can be stopped if certain Internet addresses are blacklisted, or if the target can remove some of the packets from the stream of data. By having in place a piece of hardware or software that takes some packets out, the server is convinced there is a congestion problem, and it reduces the amount of data sent in and out. That can defeat the DDoS. Source: http://www.ibtimes.com/articles/132456/20110409/ddos-attacks-the-arms-race.htm