Thursday, November 15, 2012

Daily Report

Top Stories

 • Authorities recovered $1.5 million in copper plates stolen from the Asarco plant in Hayden, Arizona, the Associated Press reported November 13. – Associated Press

4. November 13, Associated Press – (Arizona) Authorities recover $1.5 million in stolen copper. Authorities recovered $1.5 million in copper plates stolen from the Asarco plant in Hayden, Arizona, the Associated Press reported November 13. An Arizona Department of Public Safety spokesman said the case began in late September with the recovery of $300,000 in copper plates that were found in the back of a commercial vehicle during a traffic stop and later at a warehouse in Marana. The spokesman said the warehouse was supplying copper to a scrap metal yard in the Los Angeles area and that federal authorities moved to stop the shipment of those items to China. Source:

 • There are 10,000 active identity theft crime rings across the U.S., with the greatest concentration in a “ring of fraud” that stretches across the Southeast United States, according to a new report by fraud-fighting firm ID Analytics. – NBC News See item 5 below in the Banking and Finance Sector

 A Mexican federal police commander was arrested November 13 and charged with providing false information in the case of 14 officers accused of ambushing a U.S. Embassy vehicle in August. – Associated Press

23. November 14, Associated Press – (International) Mexican police commander linked to attack on U.S. Embassy vehicle. A Mexican federal police commander was arrested and charged with providing false information in the case of 14 officers accused of ambushing a U.S. Embassy vehicle in August, authorities said November 13. Initial reports on the shooting, which wounded two CIA agents, said federal police mistook the embassy SUV for a criminal vehicle, but officials later said it appeared to be an intentional attack and raised the possibility it was staged at the behest of a drug cartel. The inspector general was jailed November 12, accused of lying to authorities about what happened in the August 24 attack south of Mexico City, two government officials familiar with the case said. The 14 officers, who were formally charged with attempted murder last week, were in plain clothes and civilian vehicles when they chased and fired at the gray Toyota SUV with diplomatic plates, then peppered the windows of the armored vehicle with 152 bullets when it came to a stop. Two CIA officers, whose identities have not been released by the U.S. government, had non-life-threatening injuries, and a third person in the car, a Mexican navy captain, was not hurt. The officers so far do not face organized crime charges. However, the Mexican attorney general’s office has said the investigation is continuing, and it is still exploring whether the officers had links with organized crime. Source:

  A former Dixon, Illinois comptroller was scheduled to plead guilty to stealing $53 million of public money while overseeing the town’s public finances beginning in 1990 and siphoning it into a secret bank account. – Associated Press

27. November 14, Associated Press – (Illinois) Ex-comptroller to plead guilty in $53M scam. The former comptroller of Dixon, Illinois, was scheduled to plead guilty to a federal charge that accuses her of stealing $53 million of public money while overseeing the town’s public finances and siphoning it into a secret bank account, a U.S. attorney’s spokesman said, according to the Associated Press November 14. She is accused of using her modestly paid town hall job to steal tax dollars that supported an extravagant way of life and won her national fame as a horse breeder. Prosecutors allege she began stealing the money in 1990. She had been working for the town since she was 17 and started to oversee the town’s public finances in the 1980s. Her scheme unraveled only after a co-worker filling in for her while she was on an extended vacation stumbled upon the secret bank account, prosecutors allege. The authorities allege she created phony invoices that she characterized as being from the State of Illinois. She then allegedly put that money from a city account into another account, which she repeatedly used for personal expenses. Source:


Banking and Finance Sector

5. November 14, NBC News – (National) 10,000 ID fraud gangs active in US, especially the Southeast, study finds. There are 10,000 active identity theft crime rings across the U.S., with the greatest concentration in a “ring of fraud” that stretches across the Southeast from Virginia to Mississippi, according to a new report by fraud-fighting firm ID Analytics, NBC News reported November 14. A majority of these rings are what the firm calls “Friends & Family” groups, not professional criminal organizations, the report concludes. The rings are most highly concentrated in Washington D.C.; Detroit; Tampa, Florida; Greenville, Mississippi; Macon, Georgia; and Montgomery, Alabama. ID Analytics compiled the results by examining its massive database of credit applications and other identity “risk events,” which includes 1.7 billion entries. The firm cross references credit applications from major banks, auto dealers, wireless firms, and other credit grantors looking for evidence of systematic identity fraud. A “crime ring” was defined by ID Analytics as two or more individuals working in concert, repeatedly submitting fraudulent applications in an attempt to commit fraud. Collusion was determined by noting when multiple members of the rings used similar personal identifying information, such as Social Security numbers, in fraud attempts. Source:
6. November 14, Wall Street Journal – (International) China’s illicit flows are ‘big issue’ for money laundering. Banks face a risk from money laundering in China because of large flows of illicit money, weak controls, and the difficulties of screening names, said a new report from research and consulting firm Celent. Money laundering is “a big issue” in southern China, Celent said, because of the informal nature of capital flows there. With increased international exposure to the Yuan as its use grows in commerce and finance, the report urged regulators and financial institutions “to step up efforts to curb money laundering activities.” One of the major issues is screening transactions. A survey of 25 banks with Chinese operations included in the report revealed that 60% found technology issues were a challenge in using Chinese names in international payments and 56% found the same challenge with messaging systems. Also, a questionnaire sent with the survey showed banks find local Chinese blacklists of undesirable customers harder to use than the standard list of sanctioned individuals from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Most banks can screen the OFAC list using technology, but one questionnaire respondent said monitoring the Chinese lists requires “eyeball checking.” Source:

7. November 13, Pensions & Investments – (National) Labor Department settles with Ivy, 3 other firms over Madoff losses. The U.S. Department of Labor (DOL) November 13 announced a $217 million settlement with four companies to resolve a series of lawsuits relating to losses from investments in Bernard L. Madoff Securities’ Ponzi scheme. The settlement was reached with Ivy Asset Management, J.P. Jeanneret Associates, Beacon Associates Management, Andover Associates Management, and their former and current owners and executives, according to the DOL’s statement. The settlement resolves litigation filed by both the DOL and the New York attorney general’s office as well as private and class-action lawsuits brought by individuals and pension plans that claimed they invested in Madoff Securities’ trading strategy on the advice of the companies. The suits, including the DOL’s, alleged the four firms and their owners and principals “misrepresented and concealed doubts and suspicions” about investment in the Madoff Securities’ trading strategy. Source:

8. November 13, Redlands-Loma Linda Patch – (California) Halo Bandit accused of robberies in Yucaipa, Hemet arrested at border. A man wanted in connection with bank robberies in Yucaipa, Hemet, San Jacinto, and Menifee, California, and a failed attempt at a Murrieta bank, was arrested November 11 at the San Ysidro border crossing when he tried to enter the U.S. from Mexico, Riverside County sheriff’s officials said November 13. The FBI nicknamed the suspect the Halo Bandit in October for the halo on his Angels ballcap. The man is suspected in the robberies of a Citibank branch in Yucaipa October 24, a bank in Murrieta about 2 hours earlier October 24, a Citibank branch in Yucaipa November 7, a Bank of America branch in Menifee September 27, and others between April and October. Source:

Information Technology Sector

33. November 14, Softpedia – (International) Malware uses social media and blogging sites as part of its C&C server. Researchers have uncovered some interesting phishing attacks that rely on blogging and social media Web sites as part of the command and control (C&C) server, Softpedia reported November 14. According to FireEye experts, it all starts with an attachment called “AutoCleanTool.rar.” When the file is unzipped and executed, users are presented with a small application window which prompts them to enter their full email address and its associated password. Once the credentials are handed over, the information is saved into the Windows registry, after which it is transmitted to the attackers by the malware. In the meantime, a directory structure is created and a malicious DLL file is dropped in a couple of locations. Once the DLL (NetCCxx.dll) is loaded, the malware first checks to see if it can connect to the Internet by using a GET request. Then, it starts contacting a number of domains, all of which appear to be hosted on Chinese social media and blogging Web sites. From these Web sites, the malware starts downloading a series of .jpg image files. The images contain an “unknown padding,” 471 bytes in size, after the “Endofimage” marker. This “unknown padding” is referenced by the threat in order to update itself. The data it takes from one image becomes part of a new .ini file that contains configuration details. Another part of the retrieved data contains the URL for an additional image file, which in turn contains more configuration information. This way, the malware can update itself without being noticed by security software. Furthermore, the data from the .jpg file can also be utilized to update the entire framework and even add new components. Source:

34. November 14, Business Wire – (International) Intel Corporation: McAfee Threats Report shows global expansion of cybercrime. McAfee November 14 released the McAfee Threats Report: Third Quarter 2012, which explores techniques in cybercrime as well as the global evolution of cyber exploits. The latest report uncovers new details of “Operation High Roller.” It states that mobile malware almost doubled the previous quarter’s total, and reveals an all-time high in database breaches. McAfee Labs also saw jumps in some categories of malware, including ransomware and signed binaries. Rootkits and Mac malware continue to rise, while password-stealing Trojans and AutoRun malware also trended strongly upward. Source:

35. November 14, Softpedia – (International) Experts find ransomware that works on Windows 8. Symantec has identified a variant of ransomware that works on Windows 8. Symantec experts have tested several ransomware samples to see how well they work on Windows 8. Some of the threats have not managed to lock up the infected computers and hold them for ransom, but Trojan.Ransomlock.U has no problem accomplishing the task. Trojan.Ransomlock.U is designed to display the ransom message based on the victim’s location and researchers reveal that this feature works without any problems on Windows 8. Source:

36. November 13, IDG News Service – (International) Phishing attack targets CloudFlare customers. Customers of the popular CloudFlare Web site acceleration and security service were targeted in an email attack that directed them to a fake version of the Web site. Reports about spoofed CloudFlare emails that contained links to a phishing Web site were posted November 12 on the company’s support forum by customers. The rogue messages masqueraded as CloudFlare alerts about account load limits being exceeded. Around 785,000 sites are currently configured to use CloudFlare’s DNS servers, according to a report by U.K.-based Internet research and security firm Netcraft. Source:

37. November 13, eWeek – (International) Microsoft fixes 19 security flaws in November Patch Tuesday update. Microsoft pushed out six security bulletins covering 19 vulnerabilities across Windows, Internet Explorer, and several other products November 13. Four of the six updates are rated “Critical.” MS12-071 addresses three security issues in Internet Explorer, none of which are known to be currently under attack. However, Microsoft indicated it expects exploit code to be available soon, and successful exploitation of these issues would allow an attacker to remotely execute code. MS12-075 addresses three vulnerabilities in the Windows kernel in all supported versions of Windows. The most severe of the flaws permits a successful hacker to remotely execute code on the compromised system if the attacker can lure the user to a Web site with a maliciously-crafted TrueType font file embedded. The other two critical bulletins address issues in the Windows shell (two vulnerabilities) and the .NET Framework (five vulnerabilities). In the case of the Windows shell issues, the vulnerabilities could allow remote code execution if a user browses to a specially-crafted briefcase in Windows Explorer. Source:

For another story, see item 38 below in the Communications Sector

Communications Sector

38. November 14, PC Magazine – (International) Skype security issue prompts password reset shutdown. Skype, a tool that roughly 250 million users rely on for cheap, seamless international audio and video calling, suffered a security breach that could allow anyone to change a user’s password and take over their account, PC Magazine reported November 14. According to reports, the simple hack can be executed as long as the intruder knows the user’s account name and associated email address. In response, Skype has temporarily disabled the password reset feature in Skype to protect users. Originally discovered on a Russian hacker Web site, the exploit was tested and confirmed by TheNextWeb over the last 24 hours. Source:,2817,2412100,00.asp

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.