Monday, November 14, 2011

Complete DHS Daily Report for November 14, 2011

Daily Report

Top Stories

• The Securities and Exchange Commission charged two Minnesota-based hedge fund managers and their firm for facilitating a multi-billion dollar Ponzi scheme operated by a Minnesota businessman. – U.S. Securities and Exchange Commission See item 14 below in the Banking and Finance Sector

• Six Estonian nationals were arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus, and enabled the thieves to obtain $14 million in illicit fees. – Federal Bureau of Investigation See item 43 below in the Information Technology Sector


Banking and Finance Sector

8. November 10, Sunshine State News – (Florida) Bondi couple guilty in mortgage fraud scheme plead to cooperate. A Tampa, Florida couple pleaded guilty to their involvement in an $8.8 million mortgage fraud scheme, the attorney general’s office announced November 9. The couple were among five arrested in April for their involvement in 50 fraudulent mortgage applications involving 33 properties in Pinellas, Pasco, Hillsborough, Hernando, Osceola, Seminole, and Orange counties. In agreeing to plea before a circuit court judge in Pinellas County, the couple will cooperate against the other defendants, the attorney general’s office said. In the scheme the couple pleaded to, which occurred from 2003 to 2007, false residential mortgage loan applications and associated documents were prepared for residential mortgage loan lenders. Ultimately, the lenders approved the residential loan applications and funded 50 mortgage loan applications totaling about $8.8 million. Of the properties involved, 22 were the subject of foreclosure proceedings that resulted in more than $3 million in final judgments. Source:

9. November 10, Softpedia – (National) Fannie Mae employee leaks details of 1,100 individuals. A Fannie Mae employee is suspected of selling handwritten copies of financial information belonging to 1,100 individuals, but the organization claims their database does not contain some of the information provided by the staff member, Softpedia reported November 10. In a letter sent to the attorney general’s office in New Hampshire, the enterprise that is overseen by the Federal Housing Finance Agency claims that the crime was discovered sometime in October when the employee was found passing pieces of information such as names, addresses, Social Security numbers, dates of birth, and credit scores. “Based on the information we presently have available, we do not believe that this incident was the result of an electronic breach of any Fannie Mae computer system,” the letter read. Source:

10. November 10, Reuters – (National) Internet scam targets state securities regulators. An organization of state securities regulators, whose goal is to protect investors from fraud, said November 9 it has been the victim of an attempted Internet scam. The North American Securities Administrators Association (NASAA) told the operator of a Web site that represented the “State Securities Commission” (SSC) to cease operations and to shut the site down November 9. The site was using content from NASAA’s Web site, possibly for unlawful purposes, Washington-based NASAA said in a statement. The mock site, which appeared to be offline by late November 9, is one of several fake regulator Web sites that have surfaced in recent years, said NASAA’s president. There are no legitimate state securities regulatory agencies affiliated with the “State Securities Commission” or SSC Web site, the president said, who also heads Nebraska’s banking and finance department. Source:

11. November 9, Reuters – (National) SEC enforcement cases hit record high in 2011. The U.S. Securities and Exchange Commission (SEC) filed a record number of cases in the last fiscal year, including those related to the financial crisis, the agency said November 9. The agency brought 735 cases in the year that ended in September, and collected $2.8 billion in sanctions, it said. In 2010, it brought 677 cases but collected $2.85 billion in penalties. The agency has been under pressure to bring more cases against financial institutions and individuals who allegedly played a role in the 2007-2009 financial crisis. The bulk of the cases for the year came in traditional areas of enforcement. It brought 146 actions against investment advisors, 112 against broker-dealers, 89 for financial fraud or disclosure violations, and 57 insider trading cases. In the past 2 years, the SEC has restructured its enforcement division to remove a management layer and divide its lawyers into specialized units. It also set up a whistleblower bounty program and other incentives to encourage witnesses to cooperate. In its November 9 statement, the SEC credited the reorganization with allowing it to bring more cases and move matters through the agency more quickly. Source:

12. November 9, Associated Press – (Oregon) Oregon man pleads guilty in $19M bank fraud scheme. A man pleaded guilty November 9 in Oregon to carrying out a check fraud scheme that caused two banks to lose $3 million. Federal prosecutors said he pleaded guilty to conspiracy to commit bank fraud. He admitted to kiting more than 500 checks in December 2008 totaling more than $18 million. The scheme involved transferring money between two or more banks to obtain credit from a bank during the time it took the checks to clear. Source:

13. November 9, – (New York) ‘Dapper Bandit’ wanted for string of bank heists. A neatly-dressed bank robber dubbed the “Dapper Bandit” by the FBI is wanted for a string of heists across the Manhattan borough of New York City, police said November 9. The suspect has struck seven times since September in Lower Manhattan and Midtown, passing notes and in one case appearing to have a gun, according to police. The suspect first struck September 21 at a Capitol One Bank, passing the teller a note demanding money. The suspect, who is also wanted by the FBI, allegedly struck five times in October, making off with an unknown amount of money each time, police said. Then November 8, the suspect, who wears a suit, allegedly robbed an HSBC bank. On October 6, he appeared to have a gun inside his waistband during a robbery at a Capitol One Bank. Source:

14. November 9, U.S. Securities and Exchange Commission – (National) SEC charges feeders to Petters Ponzi scheme. The Securities and Exchange Commission (SEC) November 9 charged two Minnesota-based hedge fund managers and their firm for facilitating a multi-billion dollar Ponzi scheme operated by a Minnesota businessman. The SEC alleges the two hedge fund managers and Arrowhead Capital Management LLC invested more than $600 million in hedge fund assets with the businessman while collecting more than $42 million in fees. The pair and Arrowhead falsely assured investors and potential investors the flow of their money would be safeguarded by the operation of certain collateral accounts when the process did not exist as described. When the businessman was unable to make payments on investments held by the funds they managed, the pair and Arrowhead concealed his inability to pay by entering into secret note extensions with the businessman. This is the fourth enforcement action the SEC has brought against hedge fund managers that collectively fed billions into the Ponzi scheme. The SEC previously charged the businessman and froze the assets of an Illinois-based hedge fund manager who was a $2 billion feeder to his scheme, charged two Florida-based fund managers who facilitated the scheme, and blocked an attempt by a Connecticut-based hedge fund manager to divert funds from scheme victims. Source:

15. November 9, U.S. Commodity Futures Trading Commission – (Texas) CFTC charges GID Group, Inc., Rodney and Roger Wagner with fraud and misappropriation in connection with a $5.5 million Forex Ponzi scheme. The U.S. Commodity Futures Trading Commission (CFTC) announced November 9 the filing of a complaint in the U.S. District Court for the Northern District of Texas, against GID Group, Inc. (GID), a Texas corporation, and its agents and officers, a pair of brothers. The defendants were charged with operating a fraudulent off-exchange foreign currency (forex) Ponzi scheme in which they solicited and accepted about $5.5 million. On November 8, a federal judge entered a restraining order freezing the defendants’ assets, and prohibiting the destruction of all books and records. The CFTC complaint alleges that from about February 2010 through November 2010, GID and the brothers fraudulently solicited about $5.5 million from at least 99 people for the purpose of participating in a pooled investment vehicle trading in off-exchange agreements, contracts or transactions in forex on a leveraged or margined basis. The complaint alleges that during the relevant period, only a small portion of GID customer funds were deposited into forex trading accounts held in the name of the brothers, and that these accounts sustained net losses. The complaint alleges the brothers provided actual and prospective customers with payout schedules that falsely promised returns of at least 200 percent and made explicit statements during face-to-face meetings they had successfully traded forex for 2 to 3 years and earned 6 percent per day. The complaint alleges that to conceal and perpetuate the fraud, the brothers made weekly payouts of “returns” knowing GID had obtained no profits through forex trading. Source:

16. November 9, threatpost – (International) Computershare says no customer data exposed in breach. The investor services company Computershare told threatpost November 9 that an investigation has determined data stolen by a rogue employee did not contain shareholder data. However, the company still has not retrieved two USB drives containing company e-mail and documents that outline some of Computershare’s closely held business plans. The statement came in response to a threatpost report November 8 concerning an ongoing legal effort by the Australia-based firm to retrieve thousands of stolen, confidential documents from a former employee of the company’s Canton, Massachusetts office. Computershare had warned in its complaint that data on “millions of shareholders” could potentially be at risk. In an e-mail statement to threatpost, a Computershare senior marketing manager said that, since filing an amended complaint against the former employee in March, the company has completed an internal investigation that found no client or shareholder data was compromised in the theft. Source:

Information Technology

40. November 10, IDG News Service – (International) Open-source toolkit finds Duqu infections. The lab credited with discovering the Duqu malware built an open-source toolkit administrators can use to see whether their networks are infected. The Duqu Detector Toolkit v1.01 looks for suspicious files left by Duqu. The Laboratory of Cryptography and System Security (CrySys), part of Budapest University of Technology and Economics based in Hungary, wrote in its release notes that the toolkit, which is composed of four components, looks for strange files that mark an infection. CrySys said the toolkit should detect a real, active Duqu infection, but it is possible to get a false positive, so it cautioned that administrators would need to analyze the results. Forensic stand-alone tools such as the one CrySys developed are important since it will give Duqu victims a better image of how they were attacked, said the director of the global research and analysis team for Kaspersky Lab. Antivirus software does not give the same insight and focuses instead on detecting and blocking an attack. Source:

41. November 9, The Register – (International) Duqu spawned by ‘well-funded team of competent coders’. The Duqu malware that targeted industrial manufacturers around the world contains so many advanced features it could only have been developed by a team of highly skilled programmers who worked full time, according an analysis by NSS researchers. The features include steganographic processes that encrypt stolen data and embed it into image files before sending it to attacker-controlled servers, the analysis found. Using a custom protocol to hide the proprietary information inside the innocuous-looking file, before it is sent to command and control servers, is a centuries-old technique used to conceal the exchange of sensitive communications. Duqu is also the world’s first known modular plug-in rootkit, the researchers said. That allows the attackers to add or remove functionality and change command and control servers quickly with little effort. The conclusion the researchers draw from their analysis is Duqu is the product of well organized team of highly motivated developers. The modular design means there is a potentially large number of components that have yet to be discovered. Source:

42. November 9, The Register – (International) Microsoft releases fix for Applocker bypass flaw. Microsoft released a temporary fix for a flaw in its latest operating systems that allows untrusted users to bypass security measures preventing them from running unauthorized applications. AppLocker allows administrators to restrict the applications that can be run on computers running Windows 7 and Windows Server 2008. However, end users can override the restrictions by invoking a variety of automated script features, including macros in Microsoft Office. Programming flags such as SANDBOX_INERT and LOAD_IGNORE_CODE_AUTHZ_LEVEL could even allow malware stashed in temporary folders to be executed. Microsoft published a hotfix to correct the flaw November 9. “This hotfix might receive additional testing,” Microsoft’s advisory stated. “Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.” The advisory did not say when that update would be released. Source:

43. November 9, Federal Bureau of Investigation – (International) Operation Ghost Click: International cyber ring that infected millions of computers dismantled. Six Estonian nationals were arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware their computers had been compromised — or that the malicious software rendered their machines vulnerable to a host of other viruses. Details of the 2-year FBI investigation called Operation Ghost Click were announced November 9 in New York when a federal indictment was unsealed. Officials also described their efforts to make sure infected users’ Internet access would not be disrupted as a result of the operation. Beginning in 2007, the cyber ring used a class of malware called DNSChanger to infect about 4 million computers in more than 100 countries. There were about 500,000 infections in the United States, including computers belonging to individuals, businesses, and government agencies such as NASA. The thieves were able to manipulate Internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software. Source:

44. November 9, Softpedia – (International) Unknown malware represents a constant threat to organizations. Researchers revealed many previously unidentified pieces of malware are constantly targeting enterprise networks. Palo Alto Network security experts conducted a study in which they used their WildFire malware analysis engine to show how hundreds of samples that are undetected by most security solution vendors can affect the integrity of the company’s infrastructures. The numbers reveal that during a 3-month period, in which enterprise networks were analyzed, more than 700 malicious elements attacked their networks from the Internet, more than half of which were not detected by any commercial product. About 15 percent of the newly identified malware generated traffic between the victim devices and command and control servers that were probably controlled by hackers. The research also found zero-day malware was not only distributed by Web browsing or e-mail traffic, but also by other Web applications. Another result refers to how phishing has improved lately. It appears Web-based file hosting and Web-mail applications are used by cyber criminals to serve malicious software. Source:

For another story see item 45 below in the Communications Sector

Communications Sector

45. November 9, Baltimore Sun – (Maryland) Verizon Internet outage actually affected 22,000 customers in Maryland, PLUS 22,000 Baltimore city employees. On November 9, Verizon revised upward the number affected by an Internet outage early the week of November 7 to 22,000 customers, including residential, commercial, and government, according to a company spokeswoman. On November 8, Verizon gave an initial report that about 5,000 customers had been affected from November 6 to November 7, from the Baltimore metro area to parts of Montgomery County. The cause: a faulty router. The morning of November 9, a Verizon spokeswoman e-mailed the Baltimore Sun the revised number when asked about outages for Baltimore City employees. Baltimore’s chief information officer said in a Facebook comment at the Baltimore Tech Page that 22,000 Baltimore city government customers were affected, and the city had to work with Verizon to design workarounds. Source: