Thursday, March 8, 2012

Complete DHS Daily Report for March 8, 2012

Daily Report

Top Stories

• A federal court in Illinois permanently barred two women and four companies from operating a scheme where they helped high-income individuals shield hundreds of millions from income taxes. – U.S. Department of Justice. See item 16 below in the Banking and Finance Sector.

• A community of 65 families near Lamont, California, has been without water for nearly a week after a community well broke. – KGET 17 Bakersfield (See item 26)

26. March 6, KGET 17 Bakersfield – (California) Dozens of families near Lamont without water. A community of 65 families near Lamont in Kern County, California, has been without water since March 2 after the community well broke, KGET 17 Bakersfield reported March 6. It is believed a wall in the well is caving and sand got in, mixed with the water, and burned out the pump. The company that runs the well, Athal Mutual Water, has come under scrutiny from residents before. After reports of leaks and claims the well was running dry, residents were still billed big fees. A company spokeswoman said they were awaiting a camera scope snake to go into the well to give them a better idea for a fix. If the wall is still somewhat sturdy, they can put a temporary pump in and force water to a higher level allowing the sand to stay at the bottom. Otherwise, the community will need a brand new well which could take up to a month to complete. Athal planned to contact state officials to see if they could supply water storage to residents while they work to fix the problem. Source:

• Correctional officers at Folsom State Prison in California, fired pepper spray, nonlethal rounds, and warning shots to quell a wild melee involving up to 70 suspected gang members. – Sacramento Bee (See item 31)

31. March 7, Sacramento Bee – (California) Guards quell riot at Folsom State Prison. Correctional officers at Folsom State Prison in Folsom, California, put down a wild prison melee involving up to 70 suspected gang members March 6, firing pepper spray and nonlethal rounds to quell the riot. No serious injuries were reported in the clash that broke out between two apparent rival gang factions. The brawl prompted correctional officers to summon reinforcements from the nearby California State Prison, Sacramento, said a corrections agency spokesman. The incident ultimately was brought under control by the first responding officers from the old Folsom Prison. They used pepper spray and nonlethal, sponge-tipped rounds to drive back the combatants and also fired warning shots into the ground. Several inmates were treated for cuts and scrapes, but no correctional officers were injured, the spokesman said. The prison was kept on security alert March 6 after the incident. Source:

• A federal judge extended an operation that will keep hundreds of thousands of users infected with the DNS Changer malware connected to the Internet until they can clean their machines. – Computerworld. See item 41 below in the Information Technology Sector.


Banking and Finance Sector

12. March 7, Fort Worth Star-Telegram – (Texas) River Oaks bank manager accused of $2 million fraud. A former Bank of America branch manager in River Oaks, Texas, is accused of defrauding the company by making cash withdrawals of more than $2 million from bank customers’ accounts. A U.S. attorney alleged in court documents filed March 6 that the manager “fraudulently used customer names and bank account numbers to fill out withdrawal slips” as well as sometimes forging customers’ signatures. She faces federal charges of bank fraud. All told, the manager’s transactions totaled over $2 million, with Bank of America’s losses at more than $1 million. The charges allege the manager, using her supervisory capacity, withdrew cash through tellers by telling them the withdrawal was on behalf of long-time customers with whom she had a relationship and were waiting in her office. However, she never withdrew more than $10,000 to avoid mandatory currency transaction reports. To prevent customers from finding out, she would block bank statements from being mailed to them. The withdrawals began as far back as 2002 and continued until April 20, 2011, court documents said. Source:

13. March 6, Associated Press – (Georgia) FDIC sues 12 former directors of failed Georgia bank for $11 million. Federal bank regulators March 5 sued 12 former directors and officers of a failed Georgia bank that collapsed less than 6 years after it was formed. The Federal Deposit Insurance Corporation (FDIC) accused the operators of Freedom Bank of Georgia in Commerce of overly aggressive lending practices that focused too much on high-risk loans. It said the bank failed to conduct a cash flow analysis for all its borrowers and did not do enough market research. The agency said the loose policies meant the bank’s financial condition deteriorated even as it grew rapidly. The bank was closed in March 2009, costing the FDIC about $48 million. The agency is seeking $11 million in damages. Source:

14. March 6, New York Daily News – (New York) Queens man pleads guilty to three bank robberies. A prolific robber pleaded guilty March 6 to 3 bank jobs in New York City and the feds will give him a pass on 16 additional heists he committed in 2011. Once the FBI identified the man as a suspect, he gave them all the clues they needed on his Facebook page. According to court papers, 47 minutes before before he held up a Chase Bank in Brooklyn July 2011 he posted: “I Gotta Get That $$$$$ Man!!!!” He also posted photos in which he was wearing the same hooded sweatshirt that he wore for several of the robberies. On July 11, three photos on his Facebook page showed him holding nine $100 bills. Three days after he robbed a Chase Bank in Queens, he changed his Facebook profile name to that of a legendary bandit. He passed a threatening note and did not use a firearm in his crime spree. He also pleaded guilty to knocking over a third Chase bank in Brooklyn in August 2011 and faces a maximum of 20 years in prison on each robbery. He is also on the hook for about $32,000 in restitution to the banks. Source:

15. March 6, Las Vegas Review-Journal – (Nevada) Former Las Vegas man found guilty in mortgage fraud scheme. A former Las Vegas resident was convicted March 6 of conspiracy and wire fraud charges for his role in a mortgage fraud scheme that involved straw buyers and false loan applications, the U.S. attorney’s office announced. He was convicted of conspiracy to commit bank, mail and wire fraud, and seven counts of wire fraud. Authorities estimate he defrauded financial institutions out of more than $20 million. He operated several Nevada businesses that are now defunct. They included ABS Investments Group and Liberty Group Investments. From February 2005 to May 2007, he participated in a conspiracy with about 13 others to defraud federally insured banks. The scheme involved recruiting straw buyers to buy homes they had no intent to occupy. He paid the straw buyers about $5,000 each. Prosecutors said he then directed co-conspirators to prepare mortgage applications containing false data so the straw buyers could qualify for the loans. He put renters in the properties and sold them for a profit. He and his co-conspirators obtained mortgage loans for 110 houses in Las Vegas and Henderson between April 2005 and April 2007. Ten co-conspirators have been convicted of participating in the scheme. Source:

16. March 6, U.S. Department of Justice – (National) Federal court in Illinois shuts down nationwide ‘Employee Benefit Plan’ tax scheme. A federal court in Illinois permanently barred two women and four companies from operating an alleged scheme to help high-income individuals attempt to avoid income taxes by funneling money through purported employee benefit plans, the Justice Department announced March 6. According to the government complaint, the defendants claimed to promote and operate plans that provide insurance benefits to participating companies’ employees, when in fact the scheme was simply a mechanism for the firms’ owners to receive tax-free or tax-deferred income for personal use. In the most recent version of the scheme, each participant’s company made supposedly tax deductible payments to a purported benefit plan. The contributions were then allegedly transferred to an account within a company based in the Caribbean island of Anguilla, in which they were invested until the owner terminated the program and received the assets. The complaint alleged participants from across the country have transferred at least $239 million as part of the scheme, and that total contributions may exceed $300 million. Source:

17. March 6, KIRO 97.3 FM Seattle – (Washington) Man steals $1M from Seattle, Bank of America sits idly by. Prosecutors in Seattle charged a former city employee with 70 counts of theft in what they have called the “largest embezzlement of public funds in modern King County history,” according to a March 6 statement. The former employee faces 67 counts of first degree theft, and 3 counts of theft in the second degree. He is accused of stealing $1.1 million from Seattle Public Utilities (SPU) between 2008 and 2010. Prosecutors allege he diverted customer checks for water main extension projects into a personal bank account. More than 70 checks made payable to the City of Seattle or to Seattle Public Utilities were deposited into a Bank of America account owned by the employee. “It is surprising that Bank of America would open up an account for him and accept checks made out to the City of Seattle when they are not the bank the city does business with,” the prosecutor said. He indicated the city may have grounds for civil action against the bank. To date, investigators have seized $220,000 from a Bank of America account in the employee’s name and are looking into the possibility he transferred stolen money to additional accounts. Meanwhile, the city has launched a formal, independent review of SPU’s financial practices in an effort to identify accounts subject to “high risk transactions.” Source:

18. March 5, Marina del Ray Patch – (California) Marina del Rey man, 49, charged with bank fraud. A Marina del Rey, California man and two other men were charged March 5 in federal court with bank fraud and other charges for allegedly running a credit card scheme that resulted in an estimated $600,000 in losses. The three defendants were arrested in February by special agents with Internal Revenue Service (IRS)-Criminal Investigation and inspectors from the U.S. Postal Inspection Service. A 26-count indictment against the trio charges them with conspiracy, bank fraud, access-device fraud, aggravated identity theft, and money laundering, according to a statement from the IRS. Authorities allege the men contacted Chase Bank, Bank of America, Capital One Bank, and other institutions and requested credit cards be sent to addresses they controlled using real and fake names and fictitious businesses. They then allegedly used the cards to make unauthorized withdrawals and purchases with losses estimated at $600,000. Source:

Information Technology

36. March 7, IDG News Service – (International) Facebook goes down temporarily in parts of Europe. Facebook was down temporarily in parts of Europe March 7, with users in some countries outside the region also reporting problems., the federal cyberemergency team for Belgium, said Facebook was hit by a distributed denial of service attack. The social network however said the site was unavailable in Europe because of technical difficulties, and was restored, according to news reports. Facebook did not respond to a request for comment. The social network was unavailable for about an hour in Iceland, and came up again around 8:30 a.m. GMT, said a member of the Icelandic Parliament. Source:

37. March 7, Computerworld – (International) Anonymous takes down security firm’s website, vows to fight on after arrests. Hackers claiming to belong to the Anonymous hacking collective defaced Panda Security’s PandaLabs Web site March 7 in apparent response to the arrests of five hackers March 6 in the United Kingdom and the United States. In a defiant message posted on PandaLabs’ hacked homepage, Anonymous taunted the former LulzSec leader Sabu for helping the FBI nab the hackers and vowed to carry on its hactivist campaign regardless of the setback. They also posted what appeared to be log-in credentials of numerous Panda Labs employees. They noted the attack on the security firm’s site was in retaliation for Panda’s alleged role in helping law enforcement crack down on members of the collective. According to a statement, a Panda Security spokeswoman said the hackers obtained access to a Panda Security Web server hosted outside of Panda’s internal network. This server was used only for marketing campaigns and to host company blogs, it said. “Neither the main website nor were affected in the attack,” the statement said. “The attack did not breach Panda Security’s internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years,” the company said. Source:

38. March 7, The Register – (International) 2 in 3 Android anti-malware scanners not up to the job. Two-thirds of Android anti-malware scanners failed to protect against a range of malware in independent tests. AV-Test put 41 different virus scanners for Android through their paces. Almost two-thirds of these scanners are not yet suitable for use as reliable products, identifying less than 65 percent of the 618 types of malware tested. Packages that detected more than 90 percent of the Android malware thrown at them included Droid security software from Avast, Dr Web, F-Secure, Ikarus, Kaspersky, Zoner, and Lookout. Products that picked up more than 65 but less than 90 percent of Android malware included applications from established desktop companies (AVG, Bitdefender, ESET, Norton/Symantec, QuickHeal, Trend Micro, Vipre/GFI and Webroot) and many mobile specialists (AegisLab and Super Security). Android security products from Bullguard, Comodo, G Data, McAfee, NetQin, and Total Defense fell into the third range (detection of between 40 to 65 percent). AV-Test said these products generally provided reliable malware protection against a few families, but fell down elsewhere — probably due to inadequate mobile malware sample collection. A fourth group of Android security products provided detection rates of less than 40 percent -– essentially completely unreliable. These products — none of which came from recognized security vendors — generally failed to react even when smartphone users opened the well-known Android Trojan, much less detecting anything wrong during a regular scan. Source:

39. March 6, Softpedia – (International) Spam campaigns start relying on ‘Pin It’. Pinterest grew in popularity in the past few months, reaching around 10 million users. This did not go unnoticed by spammers and other cybercriminals who started relying on “Pin It,” the equivalent of Facebook’s “Like,” in malicious campaigns. Zscaler researchers came across several sites, and, that integrate the “Pin It” widget to ensure Pinterest is utilized as a spam propagation tool. Experts found the plot does not differ much from classic Facebook scams, in this instance the potential victims being promised free prizes in exchange for a “Pin It.” However, the uncommon piece is the “Pin It” button is not actually real, instead it is a fake variant that once clicked, redirects users to another Web site that offers more prizes. Those who find themselves on this final site are urged to fill out surveys or trial offers that earn the crooks money either by signing up the unsuspecting victim to paid phone services or via affiliated marketing mechanisms. Source:

For more stories, see items 41 and 43 below in the Communications Sector

Communications Sector

40. March 7, Softpedia – (International) Researchers find vulnerabilities in satellite TV and DVB Systems. A Polish security researcher discovered flaws in digital satellite TV set-top-boxes and Digital Video Broadcasting (DVB) chipsets, which he will present at the Hack in the Box (HITB) conference in Amsterdam May 21-25. His findings reveal a large number of digital satellite TV platforms worldwide are exposed to malicious operations due to weaknesses that exist not only in the software and the hardware of these devices but also because of the services supplied by many vendors. The expert wants to demonstrate that digital satellite TV set-top-boxes are exposed to hacking and malware infection with no user interaction required. His research shows that malware can be leveraged by a hacker to gain access over the Internet to the encrypted satellite TV programs paid by an unsuspecting user. “It will be the first ever discovery and disclosure of real malware threats in the context of the digital satellite TV platform,” he said. “And this will also be the first ever successful attack documented against digital satellite set-top-box equipment implementing Conax Conditional Access System with advanced cryptographic pairing function.” The Conax Conditional Access System was implemented worldwide for protecting paid content against illegal sharing and distribution. Source:

41. March 6, Computerworld – (International) Judge extends DNS Changer deadline as malware cleanup progresses. March 5, a federal judge extended an operation that will keep hundreds of thousands of users infected with the “DNS Changer” malware connected to the Internet until they can clean their machines. Meanwhile, Internet Identity (IID), which is monitoring the cleanup efforts, said March 6 it had seen a “dramatic” decrease in the number of computers infected with DNS Changer. DNS Changer, which at its peak infected more than 4 million Windows PCs and Macs worldwide, was the target of a major takedown led by the U.S. Department of Justice in November 2011. The malware hijacked users’ clicks by modifying domain name system (DNS) settings to send URL requests to the criminals’ own servers, a tactic that shunted victims to hacker-created sites that resembled the real domains. As part of the “Operation Ghost Click” takedown and accompanying arrests of 6 Estonian men, the FBI seized more than 100 command-and-control servers hosted at U.S. data centers. To replace those servers, a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium, the non-profit group that maintains the popular BIND DNS open-source software. Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet. March 5, a U.S. district court judge extended the deadline for shutting down the replacement servers by 4 months, from March 8 to July 9, 2012. Two weeks ago, authorities argued that victims needed more time to wipe DNS Changer from computers before their connections were cut off. Source:

For more stories, see items 36, 38, and 39 above in the Information Technology Sector.