Friday, July 6, 2012
Daily Report
Top Stories
• Six days after violent storms hit the United
States, more than 500,000 homes and businesses remained without power from Ohio
to Virginia as a heat wave baked much of the nation July 5. – Reuters
1.
July 5, Reuters – (National) 500,000
customers still without power after storms. Six days after violent storms
hit the United States, more than 500,000 homes and businesses remained without
power from Ohio to Virginia as a heat wave baked much of the nation July 5.
Nearly a third of electricity customers in West Virginia, home to 1.9 million
people, were without power, making it the hardest hit State. Utilities warned
that some people could be without power for the rest of the week in the
worst-hit areas. Temperatures in Charleston were expected to reach 95 degrees
and top 100 degrees July 6-7. The storms crossed the eastern United States with
heavy rain, hail and winds reaching 80 miles per hour June 29, leaving more
than 4 million homes and businesses without power, and the record heat that
followed has killed at least 23 people. Source: http://www.reuters.com/article/2012/07/05/us-usa-weather-power-idUSBRE8640QK20120705
• A new version of the Sykipot trojan is
targeting unsuspecting computer users, including attacks on attendees of an
international aerospace conference, according to researchers. – Threatpost
13.
July 3, Threatpost – (International) New
version of Sykipot trojan linked to targeted attacks on aerospace industry. According
to researchers at the security firm AlienVault, a new version of the Sykipot
trojan is being pushed to unsuspecting users in a wave of online attacks,
including targeted attacks on attendees of an international aerospace
conference, Threatpost reported July 3. The attacks use exploits for recently
disclosed security holes, such as Microsoft's Windows XML Core Services
vulnerability first disclosed in June. The new Sykipot variant also uses a
collection of recently registered Web domains to issue malicious attacks. Most
were registered in the last month and are linked to the same yahoo.com e-mail
address, AlienVault disclosed. At least one of the new domains was linked to
targeted phishing-email attacks on attendees of the IEEE Aerospace Conference
(the International Conference for Aerospace Experts, Academics, Military
Personnel, and Industry Leaders), AlienVault said. Source: http://threatpost.com/en_us/blogs/new-version-sykipot-trojan-linked-targeted-attacks-aerospace-industry-070312
• Lemont, Illinois police suspect someone
hacked into the village’s tornado siren system, causing all seven sirens to
sound for about 30 minutes, the police chief said. – Chicago Tribune
50.
July 3, Chicago Tribune – (Illinois) Hacker
may have targeted Lemont's tornado sirens. Lemont, Illinois police suspect
someone hacked into the village’s tornado siren system, causing all seven
sirens to sound for about 30 minutes, the police chief said July 3. Three
sirens were activated inexplicably in Evanston June 30, including two at fire
stations, officials said. “Those sirens can only be triggered by our 911
dispatch center,” said the city’s division chief of life safety services. ”It’s
not something that just anyone can do. We’re not certain on the source.” Source:
http://articles.chicagotribune.com/2012-07-03/news/chi-police-hacker-lemont-tornado-siren-20120703_1_tornado-sirens-sound-warning-radio-signal
• For the second time in weeks, Symantec
security researchers uncovered a computer worm that forces network printers at
organizations to suddenly print reams of useless data. – IDG News Service See item 58 below in the Information Technology Sector
Details
Banking and Finance Sector
16. July 5,
Softpedia – (International) Fraud alert: ZeuS malware steals banking
details via fake login pages. Security experts from Threat Metrix and the
United Kingdom’s Action Fraud warned Internet users to be on the lookout for a
new variant of the infamous Zeus malware that attempts to steal sensitive data
by posing as genuine log-in pages, Softpedia reported July 5. The fraud starts
with a normal lo-gin page, but once unsuspecting users enter their credentials,
they are presented with a Web page that requests credit card information. In
the case of social media sites, the victim is notified that by completing the
form he can link his payment card to the account to make the acquisition of
Facebook credits easier. This operation allegedly also offers enhanced security
and even 20 percent cash back. The trojan is also able to adjust balances so
victims are unaware of the fraudulent transactions. Customers of payment
processors and companies from the retail industry are also at risk since most
Web sites can be easily replicated, and for each situation the fraudsters can
come up with apparently legitimate reasons for why the victim must provide
credit card details. Source: http://news.softpedia.com/news/Fraud-Alert-ZeuS-Malware-Steals-Banking-Details-Via-Fake-Login-Pages-279372.shtml
17. July 5,
IDG News Service – (Maine; National) Federal appeals court raps bank over shoddy
online security. Patco Construction Company of Sanford, Maine, may stand a
greater chance of recovering some of the $345,000 it lost in fraudulent wire
transfers that it blamed on poor online banking practices of its bank after a
federal appeals court found the bank's online security measures were not
"commercially reasonable," IDG News Service reported July 5. The
company sued Ocean Bank, now called People's United Bank, after fraudsters made
six wire transfers using the Automated Clearing House (ACH) transfer system,
amounting to more than $588,000 in May 2009. About $243,000 was recovered. In
its decision, the appeals court cited a critical mistake made by Ocean Bank as
ACH fraud had become more prevalent. In June 2008, Ocean Bank decided to
initiate "challenge questions" for any transactions for its customers
valued at more than $1. Since the answers to the questions were displayed every
time Patco made a transfer, this "increased the risk that such answers
would be compromised by keyloggers or other malware that would capture that
information for unauthorized uses," the ruling said. The court also found
Ocean Bank was not monitoring its transactions for fraud, nor notifying
customers before a suspicious transaction was allowed to proceed, both
capabilities it possessed with its security system. Source: http://www.computerworld.com/s/article/9228796/Federal_appeals_court_raps_U.S._bank_over_shoddy_online_security
18. July 3,
Costa Mesa Daily Pilot – (California; International) Man
convicted of credit card fraud. A Los Angeles man arrested in Costa Mesa,
California, in August 2011 was convicted of stealing credit cards from the
elderly, and was part of a network including conspirators from the United
Kingdom, the Costa Mesa Daily Pilot reported July 3. The man was convicted the
week of June 25 of six felonies, including charges of aggravated identity
theft, bank fraud, and credit card fraud. Police said the man tried to flee
after an employee discovered the card used was stolen and called police, but
was caught and taken into custody. Costa Mesa police contacted and worked with
federal authorities, who prosecuted an overarching case. Federal authorities
said the man took control of about a dozen credit cards in a conspiracy
involving British members who would allegedly impersonate cardholders and ask
for replacement credit cards to be sent to different southern California drop locations.
The Britons told credit card companies they were traveling in Southern
California and would be making large purchases, according to the Department of
Justice. The convicted man and others picked up the new credit cards, and,
using the fake IDs, tried to buy more than $250,000 in luxury items. Source: http://articles.dailypilot.com/2012-07-03/news/tn-dpt-0704-ward-20120703_1_credit-card-impersonate-cardholders-costa-mesa-police
19. July 3,
Federal Bureau of Investigation – (National; International) Massachusetts
man pleads guilty to $6.9 million fraud scheme. A Boxford, Massachusetts
man pleaded guilty July 3 to engaging in a fraudulent foreign investment scheme
that defrauded at least 20 victims of more than $6.9 million. He pled guilty to
one count of conspiracy to commit wire fraud. The man claimed to be the
president of a business called Tracten Corporation, and from September 2005
through April 2008, he conspired with others to engage in a fraudulent scheme
that required investors to pay a fee that would be used to secure large letters
of credit through European financial institutions. Investors were told the
initial payment was a commitment fee necessary to secure a multi-million-dollar
letter of credit, and that they would receive a percentage monthly return on
the total amount. He admitted that in 2005, he and another co-conspirator made
multiple trips to Rome, Italy, to meet with bank officials to pitch the letter
of credit program. Despite the bank’s refusal to participate, the conspirators secured
an Internet domain name to set up an e-mail account that would appear to come
from a bank representative and created fraudulent bank letterhead that also
appeared to come from the bank. Source: http://www.fbi.gov/washingtondc/press-releases/2012/massachusetts-man-pleads-guilty-to-6.9-million-fraud-scheme
For
another story, see item 51 below in the Information
Technology Sector
Information Technology Sector
51. July 5,
Help Net Security – (International) Phonebook-slurping, spam-sending app found in
App Store. A malicious application that steals mobile users' phonebooks and
uploads them to a remote server was spotted on Google Play and Apple's App
Store. Kaspersky Lab researchers first though they were detecting an SMS worm,
but after analyzing the "Find and Call" app, they discovered it was a
trojan. It asks for permission to access user contacts. Once the phonebook is
exfiltrated to the server, SMS spam messages containing a link to a page where
the free app can be downloaded are sent to all the contacts, inviting them to
use it to reach the sender. "It is worth mentioning that the ‘from’ field
contains the user’s cell phone number. In other words, people will receive an
SMS spam message from a trusted source," said the researchers.
"Malware in the Google Play is nothing new but it’s the first case that
we’ve seen malware in the Apple App Store," they noted. The Web site of
this app allows users to supposedly access their social network accounts, mail
accounts, and even their PayPal account. However, by adding money to the PayPal
account, they are actually transferring it to a company based in Singapore,
Malaysia. Both Google and Apple were notified and removed the app from their
markets. Source: http://www.net-security.org/malware_news.php?id=2174&utm_source=feedburner&utm_medium=fee
d&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader
52. July 5,
Inquirer – (International) Sophos discovers an Android spam botnet. Security
firm Sophos discovered Android malware that generates money for cyber criminals
by running as a spam botnet. The malware, which is thought to come from
downloading pirated programs from unofficial app stores, takes advantage of
compromised devices by sending adverts for fake pills such as discounted Viagra
and diet tablets, worthless penny stocks, and dubious electronic greeting
cards. "The messages appear to originate from compromised Google Android
smartphones or tablets," a senior security adviser at Sophos Canada said
July 5. Source: http://www.theinquirer.net/inquirer/news/2189458/sophos-discovers-android-spam-botnet
53. July 5,
H Security – (International) TYPO3 updates close File Uploader
vulnerability. The TYPO3 development team released updates for all
currently supported versions of its open source content management system,
fixing a number of bugs and closing a security hole in one of the TYPO3 Core
components. According to the developers, the JavaScript and Flash Upload
Library (swfupload) used in previous versions of TYPO3 did not properly
sanitize the "movieName" parameter before calling
"ExternalInterface.call()." This vulnerability could have been
exploited by an attacker to execute arbitrary code in a browser session and
conduct cross-site scripting (XSS) attacks. Versions 4.5.0 to 4.5.16, 4.6.0 to
4.6.9, 4.7.0, and 4.7.1, as well as the 6.0 branch development releases are
affected; upgrading to TYPO3 4.5.17, 4.6.10, or 4.7.2 resolves the problem.
Source: http://www.h-online.com/security/news/item/TYPO3-updates-close-File-Uploader-vulnerability-1632768.html
54. July 5,
Computerworld – (International) Microsoft to patch under-attack XML bug next
week. July 5, Microsoft confirmed it will patch a vulnerability in Windows
the week of July 9 that has been exploited by an increasing number of attacks.
Initially, experts wondered whether Microsoft would patch the XML Core Services
vulnerability in Windows that it first acknowledged June 12, but failed to fix
even as attacks leveraging the flaw steadily ramped up. Source: http://www.computerworld.com/s/article/9228828/Microsoft_to_patch_under_attack_XML_bug_next_week
55. July 4,
H Security – (International) Ransomware threatens to frame user and inform
police. As well as encrypting files on a victim's computer, a new strain of
ransomware discovered by security specialist Sophos threatens to contact the
police about certain types of files if the system's owner doesn't pay a ransom
of $3,727. When trying to access data that has supposedly been encrypted, users
are presented with a message that instructs them to send a unique ID number to
an e-mail address — in this case a Gmail or Live address — to obtain a password
to unlock their files once they pay the ransom. However, according to a Sophos
researcher, the Troj/Ransom-HC trojan also tells users that if they do not pay
the ransom within 96 hours, the criminals will send a report to the police with
a "special password" that will unlock files, said to contain spamming
software and child pornography. The goal is to scare users into paying them
quickly. Source: http://www.h-online.com/security/news/item/Ransomware-threatens-to-frame-user-and-inform-police-1632338.html
56. July 4,
H Security – (International) DNSChanger victims to lose internet on Monday.
July 9, the FBI will turn off the DNS server that currently intercepts
queries from DNSChanger victims. This means users infected with the malware
will be almost completely unable to access the Internet normally. Therefore,
users are advised to check whether their computers or routers use one of the
FBI-listed IP addresses for DNS queries by visiting dns-ok.us. Users can also
check their configuration manually by looking for an IP within several address
ranges. If an address from one of the ranges is already set as the DNS server
on the computer or router, it is infected with DNSChanger. Users can find out
where to locate this DNS server information for their particular case using a
wizard set up by the eco association. Future DNS queries can be made using
servers such as Google's at 8.8.8.8. Source: http://www.h-online.com/security/news/item/DNSChanger-victims-to-lose-internet-on-Monday-1632475.html
57. July 4,
Pittsburgh Tribune-Review – (International) Lithuanian admits ID
theft plot. July 3, a Lithuanian national admitted in federal court in
Pittsburgh to selling data to an undercover FBI agent that could have
compromised the personal information of 10,000 people. The man, of Brick, New
Jersey, pleaded guilty to selling 39 log-in names and passwords for $2,000 to
the agent in 2008. An assistant U.S. attorney said the man hacked a
data-hosting center, a firm that provides individuals and other companies
computer space for Web sites, databases, and other information. The company
confirmed 32 of the names and passwords would have given someone back-door
access to the company’s computers and customer data. With that access, someone
could have intercepted financial information from online transactions and
installed viruses that would have infected other computers, the U.S. attorney
said. The Lithuanian, using the identity “Dr. Smurf,” offered the log-in
credentials for sale through a site called ”Dark Market,” the U.S. attorney
said. The FBI took over the criminal exchange in 2006 and operated it for 2
years to gather information on people buying and selling identity information,
he said. The FBI said the Dark Market investigation led to the arrest of 56
people and prevented an estimated $70 million worth of thefts. Source: http://triblive.com/news/2145233-74/petrauskas-information-hull-fbi-company-fischer-selling-log-passwords-access
58. July 3,
IDG News Service – (International) Security researchers link second malware
program to rogue printing incidents. A computer worm that propagates by exploiting
a 2010 Windows vulnerability is responsible for some of the recent incidents
involving network printers suddenly printing useless data, according to
security researchers from Symantec. Many companies reported unauthorized
printing incidents in recent weeks, prompting antivirus firms to investigate
the possible causes. June 21, Symantec reported the rogue printouts were the
result of computers being infected with a trojan program called
Trojan.Milicenso. However, they have determined the propagation routine of a
separate piece of malware, a worm called W32.Printlove, can cause similar
problems, a Symantec researcher said July 2. W32.Printlove infects other
computers on the local network by exploiting a remote code execution
vulnerability in the Microsoft Windows Print Spooler service patched in
September 2010. Identified as CVE-2010-2729, this vulnerability was also
exploited by the Stuxnet industrial sabotage worm to spread. The rogue printing
behavior can occur when W32.Printlove unsuccessfully attempts to infect a
Windows XP computer connected to a shared network printer. Source: http://www.computerworld.com/s/article/9228778/Security_researchers_link_second_malware_program_to_rogue_printing_incidents
59. July 3,
Softpedia – (International) All Carberp cybercriminals arrested, but
infection rates still high. Experts from ESET and Russian firm Group-IB
have been closely monitoring the activities of Carberp botnets and their
masters. They stated all the cybercriminals involved in these operations were
arrested. The number of infected devices declined immediately after each series
of arrests. Currently, however, the number of impacted computers is still high.
"All the Carberp botnet organizers have been arrested, but our statistics
aren't showing a big drop in detections. The Russian region leads as before for
Carberp detections and after the arrests it showed a brief dip," said
ESET's Security Intelligence team lead. Source: http://news.softpedia.com/news/All-Carberp-Cybercriminals-Arrested-but-Infection-Rates-Still-High-278888.shtml
For more stories, see items 13 above in
Top Stories and, 16 and 17 above in the Banking and Finance Sector
Communications Sector
61. July 3,
Washington, D.C. Hill – (National) FCC examining storm damage to
area phone networks after 911 calls failed. The Federal Communications
Commission (FCC) was looking into the damage that the massive storm that swept
from the Midwest into the Northeast June 29 caused to wireless and landline
phone networks in the mid-Atlantic, the Washington, D.C. Hill reported July 3.
As of early July 2, 16 percent of cell towers in West Virginia were still
disabled. Nearly 11 percent of Maryland's towers were down, as well as 9
percent in Virginia, and 3 percent in Washington, D.C., according to the FCC.
Widespread power outages also caused problems for many 9-1-1 call centers in
the region. Source: http://thehill.com/blogs/hillicon-valley/technology/236133-fcc-looking-into-damage-to-phone-networks-from-storm
For more stories, see items 51 and 52 above in the Information Technology Sector