Monday, October 22, 2012

Daily Report

Top Stories

 • Kolon Industries Inc. and several of its executives and employees were indicted for allegedly engaging in a multi-year campaign to steal trade secrets related to DuPont’s Kevlar para-aramid fiber and Teijin Limited’s Twaron para-aramid fiber, officials announced October 18. – U.S. Department of Justice

2. October 18, U.S. Department of Justice – (National; International) Top executives at Kolon Industries indicted for stealing DuPont’s Kevlar trade secrets. Kolon Industries Inc. and several of its executives and employees were indicted for allegedly engaging in a multi-year campaign to steal trade secrets related to DuPont’s Kevlar para-aramid fiber and Teijin Limited’s Twaron para-aramid fiber, the U.S. Department of Justice announced October 18. The indictment seeks forfeiture of at least $225 million in proceeds from the alleged thefts. “Kolon is accused of engaging in a massive industrial espionage campaign that allowed it to bring Heracron quickly to the market and compete directly with Kevlar,” said a U.S. attorney. Headquartered in Seoul, South Korea, Kolon was indicted by a grand jury in Richmond, Virginia. The indictment charges Kolon with one count of conspiring to convert trade secrets, four counts of theft of trade secrets, and one count of obstruction of justice. Kevlar is produced by E.I. du Pont de Nemours and Company (DuPont), one of the largest chemical companies in the United States. Source:

 • HSBC blamed a distributed denial-of-service (DDoS) attack for the downtime of many of its Web sites worldwide October 18. – The Register See item 8 below in the Banking and Finance Sector

 • An offshore remittance company called Caribbean Transfers financed a complex money-laundering ring that moved more than $30 million in stolen Medicare money from south Florida into Cuba’s banking system, federal authorities announced October 17. – Miami Herald

28. October 18, Miami Herald – (Florida; International) Laundering ring moved Medicare money to Cuba bank, US officials say. An offshore remittance company called Caribbean Transfers financed a complex money-laundering ring that moved more than $30 million in stolen Medicare money from south Florida into Cuba’s banking system, federal authorities said October 17. The revelation surfaced in the widening case of a now-convicted check-cashing store owner who was first believed to be at the center of the money-laundering scheme. It marked the first time that investigators traced tainted Medicare proceeds to Cuba’s State-controlled bank. Prosecutors filed new conspiracy charges against the founder of the Caribbean-based company, who is at large, and two Miami-Dade County men suspected of defrauding the taxpayer-funded Medicare program. The latter defendants are accused of laundering their Medicare profits through the convicted check-cashing store owner, who did business with Caribbean Transfers. The new information about Caribbean Transfers, which prosecutors said is licensed by the Cuban government, was disclosed during the bond hearing of one of the Miami-Dade County men October 17. The U.S. attorney’s office said it has no evidence that the Cuban government was involved in the laundering scheme, and Cuban officials denied any involvement. Source:

 • Kaspersky Labs is developing a secure operating system for industrial control systems, the company’s chairman and CEO said October 16. The new system aims to protect complex industrial systems that have become the target of a variety of high-profile cyberweapons. – IDG News Service See item 45 below in the Information Technology Sector


Banking and Finance Sector

6. October 19, Associated Press – (Florida) 3rd person guilty in $39M Fla. mortgage fraud. A third person pleaded guilty in federal court to taking part in a $39 million mortgage fraud scheme involving a Fort Lauderdale, Florida condominium, the Associated Press reported October 19. A man from New York City pleaded guilty to mail and wire fraud conspiracy charges. Prosecutors said the man and six other people recruited buyers for units at the condominium. They used false mortgage applications and misrepresented the buyers’ credit standing in order to get the loans. The group then diverted a portion of the mortgage proceeds for their own use. Source:

7. October 19, Associated Press – (Pennsylvania) Pa. developer charged with bank fraud. A developer from Gladwyne, Pennsylvania, was charged with bank fraud for using false information to get more than $13 million in loans from two banks. The U.S. attorney’s office in Philadelphia said October 18 that the developer was charged with bank and wire fraud and making false statements to banks. A U.S. attorney said the developer induced Boyertown-based National Penn Bank in 2007 and the former Wilmington Bank in 2008 to lend him $13 million on the basis of fraudulent securities statements. His attorney said her client had already admitted wrongdoing. Source:

8. October 19, The Register – (International) HSBC Web sites fell in DDoS attack last night, bank admits. HSBC blamed a distributed denial-of-service (DDoS) attack for the downtime of many of its Web sites worldwide October 18. Readers told The Register that they were unable to reach the HSBC UK and First Direct Web sites, leaving them unable to carry out Internet banking services. The problems lasted for around 7 hours. In a statement, HSBC said attacks affected customers worldwide, and reassured clients that sensitive account data was not exposed by the attack. Security researchers analyzing the earlier attacks quickly came to the conclusion that they were largely powered by botnet networks of malware-infected PCs. An EMEA Solutions architect team lead at Arbor Networks said: “Recent attacks have used what we call multi-vector attacks, attacks which utilize a combination of volumetric, and application layer attack vectors. What we are seeing here are TCP, UDP, and ICMP packet floods combined HTTP, HTTPS, and DNS application layer attacks.” Source:

9. October 19, KNSD 7 San Diego – (California) ‘Chubby Bandit’ sought in robbery series. FBI investigators said the man known as the ‘Chubby Bandit’ is responsible for five bank robberies and one attempted robbery in San Diego County, KNSD 7 San Diego reported October 19. Investigators said the first robbery happened October 9 at a US Bank branch in Poway. October 11 a similar suspect description was reported in the robbery at Chase Bank in Carlsbad. Officials said the same suspect attempted to rob a Chase Bank October 13 in Solana Beach. Then he robbed a Wells Fargo Bank in Encinitas October 15, and a US Bank in Carlsbad October 16. October 18, the suspect is believed to have robbed a bank located inside a Rancho Bernardo grocery store. The suspect used a demand note and made verbal demands, and also verbally threatened and gestured to have a gun during his robberies officials said. Source:

10. October 19, Associated Press – (North Dakota; Arizona) Arizona pair due in ND court on bank fraud charges. Two executives from a defunct Arizona mortgage lender were due in a North Dakota federal court October 19 to hear charges against them alleging that they swindled Bismarck, North Dakota-based BNC National Bank out of at least $26 million. The two men are charged with conspiracy to commit bank fraud and wire fraud, and court records indicated they might enter pleas during the hearing. One was the CEO of American Mortgage Specialists Inc. (AMS) and the other was the company’s vice president in charge of lending operations. Authorities said AMS defrauded BNC by providing it with false financial statements and other information about the status of loans the bank had financed. A printout obtained by a BNC employee in April 2010 showed that few loans at AMS remained to be sold, according to court documents. “The printout revealed that approximately $565,000 of loans remained to be sold, rather than the approximately $27 million of loans which were shown in BNC records as being held for sale to investors,” a federal affidavit reads. “BNC ceased funding the loans, and AMS closed its operations.” Source:

11. October 18, Reuters – (International) Ally Financial latest US bank to face cyber attacks. October 18, Ally Financial became the latest U.S. financial institution to face a cyberattack. Bank of America, Wells Fargo, and other banks in recent weeks have suffered so-called distributed denial-of-service (DDoS) attacks in which hackers use a high volume of incoming traffic to delay or disrupt customer Web sites. Regional bank BB&T and credit card issuer Capital One confirmed disruptions earlier the week of October 15. A spokeswoman for Ally said the bank was investigating the “unusual traffic” on its Web site. Banks have stressed that customer accounts and information was not at risk, but the attacks have highlighted the growing threat from hackers against U.S. infrastructure. Source:

12. October 18, Bloomberg News – (New York; International) Hedge fund manager pleads guilty to forex fraud. A hedge fund manager who fled the United States after being accused of swindling clients admitted to running a scheme to cheat investors out of $5 million, Bloomberg News reported October 18. The man pleaded guilty to wire fraud before a U.S. District Judge in Brooklyn, New York, prosecutors said in an emailed statement. The man controlled foreign-currency hedge funds Century Maxim Fund Inc. and AJR Capital Inc., and had faced mail-fraud, wire-fraud, and money-laundering charges. The man was indicted in 2006 after fleeing the country in 2005. He traveled to Mexico, Panama, and Poland, where he assumed a false identity using a fraudulent Russian passport. He was arrested in Poland in May 2011 and extradited to the United States in August. He also operated an investment scheme while in Panama. He stole from more than 100 clients who gave him $5 million in 2004 and 2005 to invest, prosecutors said. He gambled more than $3 million at a casino in Connecticut, according to prosecutors. He told the investors he would invest their money in the stock market and foreign currency exchange market. He falsely said that he had a history of profitable trading and that he would use a “stop-loss” mechanism to ensure that no trade would lose more than 3 percent, the government said. Formerly of Staten Island, New York, the manger fled the United States while on supervised release after leaving prison in April 2003 for a conviction in a foreign-exchange scheme, according to prosecutors. He pleaded guilty in that case after being extradited from France. Source:

13. October 18, U.S. Federal Bureau of Investigation – (Texas) Former Houston attorney pleads guilty to $7.8M investment scheme. A former attorney residing in Houston pleaded guilty to one count of wire fraud in connection with his investment fraud scheme that victimized more than 20 investors of approximately $7.8 million, a U.S. attorney announced October 18. During the past 10 years, the attorney held himself out to friends and potential investors as being involved in the real estate investment business. While he did conduct some legitimate business activity during this time period, a substantial portion of the funds he solicited were simply part of a Ponzi scheme he was operating in an effort to satisfy old debts and to fund his personal lifestyle. In acknowledging his criminal conduct, the attorney admitted to using a variety of ploys to perpetuate his Ponzi scheme, all of which involved falsely representing to investors the existence or nature of various real estate investment opportunities, accepting funds from investors under such false pretenses, and then using the investor funds in a manner other than as represented to investors. Source:

14. October 18, Salt Lake Tribune – (Utah) FBI offers $5,000 reward for ‘Bundled Up Bandit’. Federal and local Utah law enforcement agencies are offering a $5,000 reward for information leading to the arrest of a serial bank robber known as the “Bundled Up Bandit,” the Salt Lake Tribune reported October 18. A FBI spokeswoman said that the suspect, known for wearing multiple layers of concealing clothing, a knit cap, and sunglasses, is believed to have held up three Utah banks in the past month. The most recent robbery happened October 17 when the suspect walked into a Bank of the West in Cottonwood Heights. Just moments after the bank had opened, he handed a note to a teller demanding cash — and claimed to have both a gun and a bomb. The teller handed over an unspecified amount of cash and the suspect fled on foot. Source:

15. October 17, Bank Systems and Technology – (National) One in four customers are card fraud victims, study finds. A new study looking at the behavior and concerns of customers worldwide concerning card fraud was released October 17 by payments solutions provider ACI Worldwide and the Aite Group, a research firm. The 2012 fraud report, titled “Global Consumers React to Fraud: Beware Back of Wallet,” found that 27 percent of global consumers had been hit by credit card fraud over the past 5 years. Many of those who experienced fraud turned to using cash, checks, or other cards more after receiving a replacement card. The study found that 46 percent of customers who received a replacement card because of a data breach or other fraud activity used the card less than before. The study asked more than 5,200 customers in more than 17 countries around the globe if they had experienced card fraud and how that had changed their consumer behavior. The percentage of respondents who had experienced fraud in the last 5 years stayed consistent with the 2011 report findings, but there was a sharp increase in the number of respondents who had experienced fraud more than once in the last 5 years. This year 14 percent of the respondents had been victimized by fraudsters multiple times, compared to only 6 percent last year. Source:

Information Technology Sector

38. October 19, ZDNet – (International) ‘Major interruption’ at GitHub as attackers launch DDoS. Code sharing repository GitHub was hit by a distributed denial-of-service (DDoS) attack, causing major disruptions to its services. GitHub began investigating the issue at 1:05 p.m. PST, and by 1:33 p.m. PST, alerted its community to the attack. By 3:52 p.m. PST, it rectified the issue and reported everything was operating normally. GitHub wrote on its status page that it was looking into implementing “additional mitigation strategies to harden ourselves against future attacks.” GitHub also experienced a series of DDoS attacks in February, and like those previous attacks, no one is claiming responsibility for this latest disruption. Source:

39. October 19, Softpedia – (International) US election-related news planted in malicious airline emails to avoid spam filters. Malicious emails purporting to come from airline companies are not new. They inform the recipient that a ticket has been purchased using their credit card and point to an attached file for additional details. However, the more recent airline scams come with a twist. In an effort to evade spam filters, the cyber criminals started adding legitimate-looking text to the end of the email. This text would look highly suspicious if they appeared at the end of an airline notification, so the crooks set the font to white to make it invisible. Although the recipient does not see anything, spam filters do, and considering that the topic is related to the upcoming U.S. presidential elections, the anti-spam mechanisms might view them as legitimate and let the email pass through to the user’s inbox. Source:

40. October 19, Softpedia – (International) MUSTAN malware avoids infecting certain files to hide its presence. Trend Micro experts analyzed a piece of malware called PE_MUSTAN.A, a threat believed to be connected to the old WORM_MORTO.SM. The malicious element is interesting not just because of the way it spreads from one computer to the other, but also because of the mechanisms it uses to stay hidden. Researchers found that MUSTAN spreads throughout networks via the Remote Desktop Protocol by brute forcing weak passwords. “If certain user name and password combinations are in use, the malware will be able to gain access and start infecting files on the new system. This behavior is similar to WORM_MORTO,” a Trend Micro senior threat response engineer explained. Once it infects a computer, the malware uses all the available drives, network shares, and the Remote Desktop Protocol in order to spread. It infects all .exe files, except for the ones located in folders such as “Common Files,” “Internet Explorer,” “Messenger,” “Microsoft,” “Movie Maker,” “Outlook,” “qq,” “RECYCLER,” “System Volume Information,” “windows,” and “winnt.” It is believed the .exe files from these folders would cause application crashes if they were infected, and thus reveal the malware’s presence. That is why MUSTAN avoids compromising the files from these locations. Source:

41. October 19, Softpedia – (International) Fake Lookout Mobile Security update steals files from Android users. Lookout recently warned customers about an application on Google Play that mimicked an update for their Android application. Experts from TrustGo analyzed the threat after the malicious element was removed from the online store. According to researchers, once installed on an Android smartphone, the malware — Trojan!FakeLookout.A — was capable of stealing SMS and MMS messages and uploading them to a remote server via FTP. The trojan also sent its controllers a list of the files present on the device’s SD card. Based on this list, cyber criminals could upload specific files. TrustGo experts accessed the FTP server on which the stolen files were stored and they found not only SMS messages but also some video files. The server, apparently located somewhere in Colorado, also hosts a malicious Web Site designed to drop a backdoor trojan. This Web Site serves the malware to Windows users and also to ones running Mac OS and Linux operating systems. Depending on the OS, the site drops a different trojan. The malware found on Google Play is just a part of a larger attack. Judging by the complexity of the campaign, it is likely the cybercriminals who orchestrate it will somehow resurrect the Android trojan and disguise it as another legitimate-looking app. Source:

42. October 19, The H – (International) Encryption found insufficient in many Android apps. Researchers discovered catastrophic conditions when analyzing Android applications that use encryption: more than 1,000 of the 13,500 most popular Android apps showed signs of a flawed and insecure implementation of the SSL/TLS encryption protocol. Tests performed on 100 selected apps confirmed that 41 of them were vulnerable to known attacks. The researchers harvested users’ bank and credit card details as well as the access tokens for their Facebook, Twitter, email accounts, and messaging services. The vulnerabilities the researchers found can be divided into 2 categories: 20 apps simply accepted any certificate, while the other 21 did check whether the certificate carried a valid signature, but did not verify whether it was issued to the correct name. This allowed the security experts to fool the anti-virus software with a valid certificate for its own server. Source:

43. October 19, The H – (International) Microsoft and Secunia warn of FFMpeg vulnerabilities. Microsoft provided details of several critical vulnerabilities in older versions of FFmpeg’s open source video codec tools and libraries; these could allow an attacker to execute arbitrary code on a system by getting users to open a specially crafted media file. This would execute the malicious code with the same permissions as the user. Another issue reported by Secunia could have the same effect. For the Microsoft flaws, all versions of FFmpeg up to and including 0.10 are vulnerable, while for the Secunia issue, versions up to and including 0.11.2 are affected. The Microsoft-discovered vulnerabilities are present in the libavcodec library which suffers from memory corruption when parsing ASF, QuickTime, and Windows Media Video files. Source:

44. October 18, BBC News – (International) French hacker ‘admits app fraud’ in Amiens. A hacker admitted to spreading a virus via smartphone applications that defrauded thousands of victims after he was arrested in the city of Amiens in northern France. Prosecutors said he stole tiny sums from 17,000 people, amassing about $650,000 since 2011. Working from his parents’ home, he snared victims with free downloads designed to look like original apps, they said. However, in the background, the apps worked to steal money via hidden transactions. It appears smartphones that use Google software were the most susceptible, according to a BBC correspondent in Paris. Once the fake applications were downloaded, the virus sent a text message without the user’s knowledge to a premium-rate number the hacker set up. There were also programs that sent him the log-on codes for gaming and gambling Web sites to which the victims subscribed. Source:

45. October 17, IDG News Service – (International) Kaspersky to develop a secure OS for industrial control. Russian security firm Kaspersky Lab is developing a secure operating system for industrial control systems (ICS), the company’s chairman and CEO said October 16. The new system aims to protect complex industrial systems that have become the target of a variety of high-profile cyberweapons such as Stuxnet, Duqu, Flame, and Gauss. Most control systems were not created with security in mind, which is the reason that most information exchange protocols in supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs) require no user identification or authorization. Kaspersky plans to build the operating system with the help of ICS vendors and users and use entirely new code. To be fully secure, the core must be fully verified to not permit vulnerabilities or dual-purpose code. The kernel also needs to contain a very bare minimum of code, and that means that as much code as possible, including drivers, needs to be controlled by the core and be executed with low-level access rights, according to the analysis by the Lab. Source:

Communications Sector

46. October 18, County 10 – (Wyoming) Strong winds knock down a tower in eastern Fremont County. The October 16 wind storm that blew through Fremont County, Wyoming, knocked out one of’s service towers. The company’s vice president said the tower that fell was near Shoshoni and served the Town of Shoshoni and parts of the rural Missouri Valley area. Internet service to those customers was interrupted by the fall. The director of Sales, Marketing, and Public Policy said a return of service date to affected customers has not yet been determined. He added that the company had to essentially rebuild the tower. Source:

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.