Thursday, May 5, 2011

Complete DHS Daily Report for May 5, 2011

Daily Report

Top Stories

• The St. Louis Post-Dispatch reports the destruction of the Birds Point Levee in southeast Missouri deluged 130,000 acres of farmland and caused up to $300 million in damage. (See items 26, 55)

26. May 4, St. Louis Post-Dispatch – (Missouri; Illinois) Levee explosion may cost farmers in southeast Missouri $300 million. When the U.S. Army Corps of Engineers blew up the Birds Point levee in southeast Missouri late May 2, water gushed onto 130,000 acres of farmland, drowning crops. The Corps-engineered deluge also swamped millions of dollars in farm infrastructure, from culverts to irrigation pivots. Tens of thousands of gallons of diesel and liquid fertilizer sit in flooded tanks. “In that spillway, all the structures are going to be gone,” the head of the Missouri Farm Bureau said. “Roads, bridges, center point irrigation pivots are all going down the river.” The Corps dynamited the levee to relieve mounting pressure on the flood control systems guarding more populated areas upriver, particularly Cairo, Illinois. But the decision exacted a heavy price: Some early estimates put the damage at $300 million. The farm bureau predicted the crop damage alone would be around $100 million. The U.S. Agriculture Secretary said May 3 that crop insurance would cover the farmers, despite the fact that the flooding was, in effect, “man-made.” Source:

55. May 4, CNN – (National) Record flooding still in forecast after levee breach. The intentional breach of a levee on the Mississippi River is helping to ease unprecedented flood pressure on other areas, the U.S. Army Corps of Engineers said. The Ohio River level had dropped about 1.7 feet at Cairo, Illinois, since May 2, before the blast, but that is expected to level off May 4. The breach, created when engineers detonated explosives the night of May 2 at Birds Point, Missouri, is sending 396,000 cubic feet of water per second onto 200 square miles of fertile Missouri farmland. A second levee blast was conducted the afternoon of May 3 at New Madrid, Missouri, and a third is planned May 4 near Hickman, Kentucky. The second and third blasts, downstream of Birds Point, will allow floodwater to return to the Mississippi River. While the plan appeared to be working — the level of the Ohio River fell where it joins the Mississippi — record crests and relentless pressure from millions of gallons of water still threatened communities throughout the Mississippi and Ohio river valleys. Vicksburg, Mississippi, could see water levels rise 4 feet by May 8. Authorities told residents of Caruthersville, Missouri, that sandbags may not be enough to control the water. The town of Cairo remained under a mandatory evacuation despite the intentional breach, while six other communities were under voluntary evacuation notices, said a spokeswoman for the Illinois Emergency Management Agency. Even with the levee breach, the National Weather Service continues to predict record or near-record flooding in parts of southern Illinois, southwest Indiana, western Kentucky, and Tennessee, southeastern Missouri, northeastern Arkansas, and parts of Mississippi, and Louisiana. Source:

• According to The Register, researchers have discovered the first ever crimeware kit designed to steal sensitive data from computers running Mac OS X. See item 44 below in the Information Technology Sector


Banking and Finance Sector

13. May 4, Federal Bureau of Investigation – (New Jersey) New Jersey man pleads guilty to robbing four banks. A West New York, New Jersey man admitted May 4 to robbing four banks between September 9 and December 14, 2010, a U.S. attorney announced. The 63-year-old man pleaded guilty to an information charging him with four counts of bank robbery, admitting he robbed banks in Bergen and Hudson Counties. The man disguised himself by wearing a hat and makeup, such as a fake moustache and beard, during the robberies. During each robbery, he would enter the bank and demand money from tellers, either verbally or using a note, and gesture toward a small pipe hidden in the sleeve of his jacket that appeared to be a weapon. On December 14, 2010, the man was arrested in North Bergen while driving a vehicle witnesses identified as being used following the attempted robbery of the TD Bank in Union City earlier the same day. Inside the vehicle, officers found the makeup and baseball hat the man had used in the robberies, as well as the money he had stolen from the GSL Savings bank earlier that day. The charges each carry a maximum potential penalty of 20 years in prison and a fine of $250,000. Source:

14. May 4, Federal Bureau of Investigation – (Oregon) Two executives indicted in Oregon for securities fraud. The 46-year-old former chief executive officer of Willamette Development Services, LLC (WDS), and a 43-year-old former investment relations manager for WDS, were arraigned in federal court May 2 on an indictment returned by a federal grand jury April 20. The pair and WDS were charged with committing securities fraud, bank fraud, mail fraud, and wire fraud. In addition, the indictment seeks forfeiture of all proceeds traceable to the fraud. The indictment alleges that from April 2006 through December 2007, through misrepresentations by the pair, WDS obtained approximately $5,272,300 from investors for the ostensible purpose of developing at least 10 profitable real estate projects, and that WDS incurred $14,115,825 of additional indebtedness from lenders. By January 2008, none of the projects were completed and WDS was insolvent. The investors lost their entire principal of $5,272,300. Secured lenders recovered portions of their loans through foreclosure actions.The indictment also alleges the former CEO lied about his academic background and that he failed to tell investors he had previously been fired from a financial institution for engaging in fraud, and that he had previously filed bankruptcy. On February 8, the former chief financial officer of WDS pled guilty to conspiring with the pair to commit securities fraud. Source:

15. May 3, Marketwatch – (International) Bin Laden death may limit terror financing. The death of the head of al-Qa’ida may limit terrorism financing, a top U.S. President’s administration official said May 3. “The death of [the al-Qa’ida leader] is a tremendously important step, and it takes away a person who, at minimum, as a symbol, was helpful in raising terrorism money,” the Treasury Department’s assistant secretary for terrorist financing, told lawmakers on the Senate Banking Committee. He argued that even with bin Laden’s death, there has been an expansion of the franchising of al-Qa’ida networks in the Middle East and in North Africa. However, he also argued that Treasury’s efforts to limit terrorism financing have notched some successes, in part because of the department’s engagement and sharing of information with foreign governments, foreign central banks, and foreign intelligence units. “The success we’ve had with al-Qa’ida has been something that has developed over a number of years by both taking targeted actions against facilitators moving money as well as dedicated engagement with counterparts in the gulf to identify the networks where the money is raised and moved into Pakistan and it has really put a fair amount of financial pressure on al-Qa’ida,” he said. Source:

16. May 3, – (National) Phishing scheme uses FDIC. The Federal Deposit Insurance Corp. (FDIC) has received numerous reports from business owners about fraudulent e-mails that purport to be from the FDIC. The e-mail appears to be sent from and includes the subject line: FDIC: Your business account. According to the FDIC, the e-mail, addressed to “Business Owners,” reads: “We have important information about your bank. Please click here to see information ...This includes information on the acquiring bank [if applicable], how your accounts and loans are affected and how vendors can file claims against the receivership.” The FDIC noted it does not issue unsolicited e-mails to consumers or business accountholders. But the scheme is yet another example of how phishers are perfecting their techniques, by taking advantage of trusted sources such as the FDIC, and preying on the fears of business owners during a time of continual bank failures, and ACH/wire fraud incidents. Source:

17. May 3, Boston Globe – (Massachusetts) Police arrest one, seek another in ATM card-skimming scheme. Police arrested one man and are looking for another who allegedly installed a card-skimming device on an automatic teller machine at a Cambridge, Massachusetts bank April 30 in an effort to illegally capture personal information from debit and credit cards. Cambridge police and a U.S. Secret Service agent found the card-skimming device after a witness reported a suspicious person going in and out of the ATM at Eastern Bank on Alewife Brook Parkway about 2 p.m., police said. After prying the device off of the ATM, police detectives and the Secret Service determined it was used to capture personal information and pin numbers from debit cards and credit cards. The device used a pinhole camera to record customers typing in their pin numbers, police said. After speaking to witnesses and identifying a suspect, police spotted a 30-year-old Romanian man nearby at another store at the Fresh Pond Mall and placed him under arrest. He was charged with possession of a burglarous instrument, conspiracy, larceny of credit card, and attempting to commit a crime. A second suspect, also from Romania, fled the scene prior to police arrival and a warrant has been issued for his arrest, police said. A Cambridge police spokesman said police believe the witness who reported the suspicious activity had caught the two men in the act of installing the card-skimming device. Police arrived at the scene within minutes to arrest the men, but the spokesman said authorities are unsure at this time if the men captured any personal information from the device. Source:

18. May 3, Brandon Patch – (Florida) Alleged scammer spotted at two Brandon area ATM machines. Detectives in Hillsborough County, Florida, are seeking help in identifying a man they say tampered with at least two ATM machines in the Greater Brandon area. The suspect removed two security mirrors and attached a credit/debit skimming device to a Chase ATM machine at 1101 West Brandon Boulevard April 16 at 7:18 p.m. He returned the next day and removed the skimming device, according to a May 3 release from the Hillsborough County Sheriff’s Office. The same suspect was seen at a Valrico branch ATM, 2615 State Road 60, April 17 at 8:24 p.m. Later the same day, a customer also reported a suspicious looking man at a Causeway Boulevard banking center between 9:50 p.m. and 10:02 p.m. When she approached the ATM she noticed tape over the transaction camera. The white male suspect is 5-foot-10 to 6-feet tall with a medium build and weighs 220 to 230 pounds. He was driving a black Ford pickup truck, deputies said. Source:

For another story, see item 45 below in the Information Technology Sector

Information Technology

42. May 4, Softpedia – (International) Fake FBI emails distribute backdoor. A new malware distribution campaign is producing rogue e-mails purporting to come from the FBI and attempting to scare users into opening malicious attachments. Cyber criminals behind this attack are hoping to scare people into believing they are being investigated by federal authorities because they accessed illegal online content. The subject of the rogue e-mails reads “you visit illegal websites” and their header is forged to appear as if they originate from an FBI address. The attachment is called document(dot)zip and according to security researchers from e-mail and Web security vendor ApprRiver, it contains a version of Bredolab. Bredolab is a trojan downloader commonly used as a malware distribution platform. In this case, it installs a backdoor on the PC through which attackers can deploy even more threats. In order to trick users into believing they are dealing with a document, the executable found inside the .zip archive bears a PDF icon. “It’s intent is to slip past your human defenses and create a permanent backdoor on your PC in order to further download malicious payloads such as keyloggers and spyware,” an AppRiver security researcher noted. Source:

43. May 4, Computerworld – (International) Microsoft issues first Windows Phone security update. Microsoft released the first security update for Windows Phone 7 May 3, replicating for smartphone users a patch the company gave Windows desktop users 6 weeks ago. When the update will actually reach users is unclear. “At the time of release, the update is not available for all Windows Phone 7 customers,” Microsoft said in a security advisory. “Instead, customers will receive an on-device notification once the update is available for their phone.” The update is designed to blacklist nine digital certificates acquired by a hacker in March from Comodo, one of many companies that issues secure socket layer certificates. “This update moves the affected certificates to the ‘Untrusted Publishers’ certificate store on Windows Phone, which helps ensure that these fraudulent certificates are not inadvertently used,” Microsoft said in an explanation on its Windows Phone update history Web page. Source:

44. May 3, The Register – (International) DIY crimekit brings advanced malware to Mac OSX. A crimeware kit discovered the weekend of April 30 and May 1 promises to bring a flood of advanced malware that steals passwords and other sensitive data from computers running Mac OS X. The kit is being advertised as the Weyland-Yutani Bot in underground crime Web sites, where it is being sold for $1,000. The first ever crimeware kit for the Mac comes with the ability to grab data entered into Firefox, with the Chrome and Safari browsers soon to follow, according to Danish IT firm CSIS Security Group. The makers of the new DIY malware kit claim they are close to releasing versions that will work on iPads and Linux machines as well. Weyland-Yutani uses Web injection templates identical to those offered by the ZeuS and Spyeye crimeware kits available for targeting Windows computers. The forms seamlessly inject fraudulent fields into legitimate Web sites intended to trick users into entering Social Security numbers or other sensitive information. When the user types the data into the field, it is transmitted back to the malware author. Source:

45. May 3, Computerworld – (International) Hackers step up game, spread malware using Bin Laden bait. Hackers are increasingly exploiting the death of al-Qa’ida leader by pushing malware into PCs when users fall for fake claims of photographs and video, security researchers said May 3. The shift to direct attacks follows campaigns May 2 to push fake security software, dubbed “rogueware,” to both Windows and Mac users. F-Secure warned users May 3 to steer clear of spam that included the “Fotos_[first name]_bin_[last name](dot)zip” archive attachment. The messages claim the file contains photos of the terrorist leader after he was shot and killed. Running the resulting Windows executable file does not display photographs, but instead launches a new banking trojan horse belonging to the 3-year-old “Banload” line, an F-Secure researcher said. The malware sniffs out online banking sessions and then tries to redirect payments to other accounts. Other security companies have also snared malware packaged with spam related to the terrorist leader. Symantec said May 3 it had found e-mail messages touting photos and video of the U.S. attack’s aftermath. The messages, which so far have been written in French, Portuguese, and Spanish, lead users to a fake CNN Web site where they are told to download video. As in the F-Secure instance, the download is, in fact, a “dropper” that in turn downloads malicious code to the Windows PC. Scams leveraging the death of al-Qa’ida leader are also spreading quickly on Facebook, researchers said. Source:

46. May 3, Softpedia – (International) TDL4 rootkit updated to bypass Microsoft patch. TDL4, one of the most sophisticated rootkits capable of infecting 64-bit Windows systems, was updated by its developers to bypass a recent Microsoft patch that interfered with its operation. During Patch Tuesday April 12, Microsoft issued an update that made some changes particularly designed to disable TDL4’s hiding mechanism. TDL4 is part of the TDSS family of rootkits and was the first one capable of infecting 64-bit Windows systems. By default, 64-bit versions of Windows 7 and Vista only accept digitally signed drivers, therefore the vast majority of rootkits that use custom drivers to interact with the disk and hide their presence, cannot function on such systems. TDL4 is different because it patches the Windows Boot Configuration Data (BCD) in real time in a way that allows it to bypass the OS driver signature check. One of the modifications made by Microsoft’s KB2506014 update involved changing the size of kdcom.dll’s PE export directory to interfere with the TDL4 infection routine that checks this value to determine if the file must be replaced with a rogue version or not. According to researchers from security vendor Prevx, TDL4 developers reacted to this change by releasing a new version of the rootkit that no longer performs this check. Instead it patches Windows’ digital signature check routines for kdcom.dll directly to return an error the system does not recognize forcing it to proceed with the booting routine normally. In addition, the rootkit’s developers also changed the way the rootkit hooks the system miniport disk driver, a method that allowed anti-malware programs to detect its presence. Source:

Communications Sector

47. May 2, Computerworld – (National) Internet creaks under tidal wave of bin Laden death news. The U.S. President;s announcement May 1 of the death of the al-Qa’ida leader by U.S. Navy SEALs triggered a massive amount of real-time comments, searches, social networking and video streaming. The traffic explosion bogged down news pages and for a while even crashed CNN’s mobile news site. Keynote Systems reported CNN’s site went down for a time after the news broke late May 1, according to a VentureBeat’s employee, who was posting news as it happened. Keynote’s mobile and cloud traffic monitoring system found streaming video sites going black under the heavy demand, which varied from region to region in the United States, with most of the East Coast already asleep when the President made his announcement after 11 p.m. But it was still early enough for users in the western half of the country to turn to their cellphones for the latest news, search for more information, and share it via Twitter and Facebook, both of which exploded with activity. “This caused a much bigger spike than the royal wedding,” according to the, senior product manager at Keynote, quoted by VentureBeat. Keynote said that late May 1, Web news sites were about 60 percent available, “meaning 40 percent are down at any given moment,” according to VentureBeat. Source:

For another story, see item 43 above in the Information Technology Sector