Thursday, January 5, 2012

Complete DHS Daily Report for January 5, 2012

Daily Report

Top Stories

• Three Swiss bankers were indicted in the United States January 3, accused of hiding $1.2 billion in assets of U.S. clients seeking to avoid declaring their full wealth to tax authorities. – Agence France-Presse. See item 13 below in the Banking and Finance Sector

• Police arrested a suspect January 3 in connection with the firebombing of an Islamic cultural center and four other New York City area sites. – (See item 40)

40. January 3, – (New York) New York City police arrest suspect in string of firebomb attacks. Police arrested a suspect January 3 in connection with the firebombing of an Islamic cultural center and four other New York City area sites. Police said the suspect was arrested on charges including one count of arson as a hate crime, four counts of arson, and five counts of criminal possession of a weapon. The suspect confessed to five incidents in total, including the attack on the Imam Al-Khoei Foundation, an Islamic center, and a Hindu temple, both located in Queens, a spokesman for the New York City Police Department said. He allegedly was motivated by personal grievances with people at each of the five locations, hurling Molotov cocktails fashioned from bottles filled with fuel that he obtained at a gas station. The suspect was tracked through a car with Virginia license plates that was thought to be at the scene of at least two of the attacks January 1, which also targeted a convenience store and two homes, the police commissioner said. The car was stolen from a Hertz rental car facility at John F. Kennedy International Airport. Source:


Banking and Finance Sector

10. January 4, CBS News – (Texas; Mississippi; Alabama) ‘Handsome Bandit,’ wanted in Texas, arrested in Mississippi. Just as the FBI and Texas police agencies intensified their search for the bank robber being called the ‘Handsome Bandit,’ a routine traffic stop led to his arrest, CBS Dallas reported January 3. It said the suspect was named as the ‘Handsome Bandit’ after police in Richardson, Texas, discovered clothing, a mask and weapon the suspect left behind. Police said the man is the person who robbed a Compass Bank December 31. During that incident, her fired at chasing officers, striking one squad car. In all, he’s accused of robbing six banks across Richardson, Dallas, Plano, and Irving. He faces charges of bank robbery and attempted capital murder. CBS Dallas has learned deputies in Jackson County, Mississippi, attempted to perform a traffic stop on a vehicle traveling on Interstate-10, but the vehicle refused to stop. At some point, authorities ran the license plate and discovered the vehicle was linked to the suspect. Deputies tried three times to stop the vehicle using stop sticks but were unsuccessful. The Jackson County sheriff joined the chase as the suspect and deputies entered Alabama. The vehicle was finally stopped in rural Mississippi after the sheriff shot out the car’s right rear tire. Source:

11. January 3, KDFW 4 Dallas-Forth Worth – (Texas) Checkbook Bandit disturbs DeSoto Police. DeSoto, Texas police are asking for help in identifying an aggressive bank robber who has struck nearly half a dozen times in the last 3 months. The man cops call the “Checkbook Bandit” has robbed the Chase bank in DeSoto three times since September. He’s also robbed a Bank of America there twice, most recently January 3. “He’s pretty brazen. He just shows up, walks up to the teller, opens the checkbook ... and basically instructs them what he wants them to do and even implies he has a weapon,” a DeSoto Police officer said. Police said the man’s checkbook includes the phrases, “I have a gun,” and ‘This is a robbery,” in bold writing. The robber’s modus operandi is always the same and sometimes he appears to be on a cell phone. Police said a surveillance camera captured a clear picture of an identifying mark on the top of the suspect’s head. They said he was so bold during the January 3 robbery he took his time flipping through the bills before leaving the bank. Source:

12. January 3, Federal Bureau of Investigation – (Florida) Man dubbed ‘Bank Bag Bandit’ arrested at his Palm Harbor residence. A U.S. attorney announced a man was arrested January 3 in Florida by agents of the FBI, and detectives from Hillsborough and Pasco County sheriff’s offices, following the execution of a federal search warrant at his Palm Harbor residence. The suspect, whose true identity only recently became known, had been dubbed the ‘Bank Bag Bandit” by law enforcement, and was wanted for the armed robberies of five banks, spanning Pasco, Hillsborough, and Hernando counties. According to the complaint filed January 3 in federal court, during each of the robberies, he entered five banks and threatened the tellers with a silver revolver and demanded money. Source:

13. January 3, Agence France-Presse – (International) US charges Swiss bankers for hiding $1.2 billion. Three Swiss bankers were indicted in the United States January 3, accused of hiding $1.2 billion in assets of U.S. clients seeking to avoid declaring their full wealth to tax authorities. The bankers were accused of “conspiring with U.S. taxpayers and others” in a massive tax fraud scheme. In an indictment, the bankers were said to have been client advisers at the Zurich branch of an institution identified as “Swiss Bank A.” They allegedly conspired with U.S. clients to hide the existence of bank accounts and the income they generated from the Internal Revenue Service. Swiss banks, which have a longstanding practice of offering clients secrecy, have come under steady attack by U.S. authorities, highlighted by a probe into banking giant UBS which led to a deal between U.S. and Swiss authorities. The service by “Bank A” was allegedly ramped up in 2008 and 2009 “ito capture business lost by UBS AG and another large international Swiss bank in the wake of widespread news reports that the IRS was investigating UBS for helping U.S. taxpayers evade taxes and hide assets in Swiss bank accounts,” New York federal prosecutors said in a statement. They “allegedly told various U.S. taxpayer-clients that their undeclared accounts at Swiss Bank A would not be disclosed to the United States authorities because Swiss Bank A had a long tradition of bank secrecy.” The three bankers live in Switzerland. If convicted in the United States they would each face a maximum term of 5 years in prison. Source:

14. January 3, KABC 7 Los Angeles – (California) ‘Wrong Way Bandit’ robs Costa Mesa credit union. The “Wrong Way Bandit” allegedly robbed a credit union in Costa Mesa, California, December 30, his sixth bank robbery since August, according to authorities. Costa Mesa police were called to a reported robbery at the Nu Vision Credit Union at 10:40 a.m. A suspect reportedly entered the bank, displayed a handgun and threatened a teller with it and demanded cash. The teller complied, giving the suspect an undisclosed amount of money. The FBI believes the suspect is the “Wrong Way Bandit,” who is thought to be have committed five other robberies in Tustin, Fountain Valley, Garden Grove, and Costa Mesa. He reportedly used the same robbery method in each of the other incidents. Source:

15. January 3, Fort Worth Star-Telegram – (Texas) Waco life insurance firm accused of systematic fraud. Waco, Texas-based Life Partners Holdings and three of its top executives were accused January 3 by the Securities and Exchange Commission (SEC) of “systematically and materially” misleading investors about the life expectancy of people whose life insurance policies it traded, the Fort Worth Star-Telegram reported. The scheme inflated the value of the company’s stock, according to a suit the SEC’s Fort Worth office filed in federal court in Waco. Investigators said the chief executive officer (CEO) sold about $11.5 million of Life Partners stock at inflated prices while having information not available to the public about the company’s dependency on short-lifespan estimates. “Life Partners duped its shareholders by employing an unqualified medical doctor to assign baseless life expectancy estimates to the underlying insurance policies,” the director of the SEC’s Division of Enforcement said. The SEC filing deals only with Life Partners, which served as a “life settlement” broker — pairing people who no longer can afford their policy premiums with investors who took fractional interests in the policies. Sometimes policies were bought from firms that had insured key workers but then had little interest in the insurance after the employees left. The suit seeks unspecified civil penalties from the three as well as the return of stock trade profits and bonuses from two executives. Source:

Information Technology

31. January 4, Threatpost – (International) Lilupophilupop SQL injection attack tops 1 million infected URLs. A SQL injection attack that has been ongoing for several weeks hit a threshold of more than 1 million infected URLs, Threatpost reported January 4. The attack was first identified and disclosed by researchers at the SANS Internet Storm Center i early December, and at the time there were only a few thousand infected pages. The attacks seemed to be targeting sites with backends running on IIS, ASP, or Microsoft SQL Server, and there were some indications the attackers were doing reconnaissance on the infected sites for some time before the actual attack. The attack, which included a script that redirected users to a URL at lilupophilupop(dot)com, was similar to other mass SQL injection attacks that surfaced in recent years. “Sources of the attack vary, it is automated and spreading fairly rapidly. The trail of the files ends up on “adobeflash page” or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected,” a SANS ISC researcher wrote in the initial analysis of the attack. The goal of the attack seems to be to drive victims to a site that is peddling fake AV or scareware. That is where the monetization portion of the scheme comes in, with the attackers trying to lure victims into paying a license fee for a fake AV program they not only do not need, but will also likely cause other problems on their machines. Source:

32. January 4, Help Net Security – (International) Spyware pushed via Google ads. A Zscaler researcher recently spotted a suspicious looking ad for a free Flash Video player in his Google Reader. By clicking on the link he was taken to the download page of the player, which repeats many times over the offered player is free. However, at the bottom of the page a disclosure statement reveals the software is bundled with additional products that “may include advertisement.” This particular piece of adware/spyware appears to install a toolbar along with the player, opens many ports in the system, attempts to connect with remote servers, and requests a number of URLs. “The ad was found on the RSS feed of a security company specialized in cleaning up infected websites,” the researcher said. “This highlights the fact that even reading content from otherwise legitimate resources can inadvertently lead users to unwanted applications when sites include third-party elements (JavaScript driven ads in this case, but also IFRAMES, widgets, etc.) that they do not not have control over.” Source:

33. January 4, The Register – (International) Pastebin on the mend after DDoS battering. Popular text file sharing service returned online following a denial of service attack January 3. The site, which allows users to anonymously upload documents and share them, has become a favorite resource for hacktivists from Anonymous and elsewhere over recent months. Anonymous uses Pastebin to upload data dumps and to post announcements of planned operations. The site also serves at an Internet clipboard for programmers and others. Pastebin confirmed the attack January 3 via its official Twitter account. Source:

34. January 4, H Security – (International) Chat logs reveal the operator of a major botnet. A security blogger published information about the suspected lead hacker behind the Cutwail botnet. Using various chat logs, he managed to establish the name, phone number, and other personal data of the suspected botnet operator who goes by the name of “Google.” Previously, Russian investigators seized the computer belonging to one of the spammer’s business partners and found extensive chat logs that appeared on the net soon afterwards. The blogger said the logs of chat sessions with a founder of the “SpamIt” spam network indicate “Google” held about a dozen accounts on this network. With these accounts, the spammer allegedly collected around $175,000 in commissions for sending out pharmaceutical spam through his botnet. “Google” is suspected of having made even more money by renting out his botnet to other spammers who use SpamIt. According to current statistics compiled by M86 Security, Cutwail and its affiliates are responsible for approximately 22 percent of the daily global spam volume. However, SpamIt lost its top market position after hackers intruded into the system and disclosed the names of its customers and affiliates. Source:

35. January 4, H Security – (International) WordPress 3.3.1 closes XSS hole. Version 3.3.1 of the open source WordPress blogging and publishing platform has been released. The maintenance and security update addresses a cross-site scripting (XSS) vulnerability affecting WordPress 3.3. According to a blog post by two security researchers, the hole affects WordPress instances installed using an IP address; instances of WordPress installed using a domain name are reportedly not vulnerable. Source:

36. January 3, Softpedia – (International) Scareware migrates to Android devices, beware of Opera virus scanner. Rogue pieces of software that falsely alert users their devices are infected with malicious elements, requiring victims to pay certain amounts of money to allegedly clean their computers, were spotted to target Android enthusiasts. Up until now, Windows systems were the main target for scareware scams, but Kaspersky Lab researchers found online scam artists are now focusing on smartphones. While searching for some popular mobile apps such as Opera Mini, experts came across several phony Web pages that claim the user’s device is infected with malware, requesting access to the phone to provide further details. If the unsuspecting victim accepts, she is taken to another page that brings up worrying results. The site finds malware in messages, calls, apps, and the storage unit. Unlike the rogue applications that target Windows systems, where the victim is required to provide sensitive data or a certain activation fee, in this case, she is offered a link to activate a “security system” free of charge. Once the alleged system is activated, a trojan identified as SMS.AndroidOS.Scavir is downloaded and installed. After installation is complete, a menu icon similar to the one belonging to Kaspersky applications appears and after making sure it has all the permission it needs, starts sending SMSs to premium rate numbers. The malware targets more than Android users, experts warned. If the phone is detected as running a non-Android operating system, the malicious Web page serves a file called VirusScanner.jar identified as Trojan-SMS.J2ME.Agent.ij. Source:

Communications Sector

37. January 4, WPTV 5 West Palm Beach – (Florida) Comcast outage creates static. Some viewers in Florida were complaining January 4 they were still having problems with their cable signals. Comcast viewers continued to complain about spotty service a day after an outage affected thousands of customers. The outages experienced the afternoon of January 3 were due to a software problem at Comcast’s distribution site, a company spokesman said. The outage affected some standard definition channels and most high definition (HD) channels for about 45 minutes January 3. Cable services werefully restored to all Comcast customers, the spokesman said. The outage that occurred January 3 affected the same customers affected by an outage the night of January 2. The electrical problem that occurred January 2 may have caused the software problem January 3, he said. Source:

38. January 3, WHP 21 Harrisburg – (Pennsylvania) WIOO back on the air. WIOO 1000 AM/97.9 FM in Carlisle, Pennsylvania, resumed broadcasting January 3. It is broadcasting directly from the transmitter as most of the equipment was destroyed by a January 1 fire. The phone system has not been replaced yet, but the station is playing music and commercials. The electrical fire started at 1:30 p.m., and badly damaged the building. Source:

For another story, see item 36 above in the Information Technology Sector