Federal Bureau of Investigation

(U//FOUO) DHS-FBI-NCTC Bulletin: Fake Help Desk Scams an Ongoing Problem

DHS-FBI-NCTC-FakeHelpDesk

Law enforcement continues to see reporting of malicious cyber actors using fake help desk scams, also known as technical support scams. These scams, if successful, seek to compromise and take control of computer systems. Malicious cyber actors send users an e-mail or they make cold calls, purportedly representing a help desk from a legitimate software or hardware vendor. The malicious cyber actors try to trick users into believing that their computer is malfunctioning—often by having them look at a system log that typically shows scores of harmless or low-level errors—then convincing them to download software or let the “technician” remotely access the personal computer to “repair” it.

(U//FOUO) FBI Counterintelligence Vulnerability Assessment for Corporate America

FBI-CorporateAmericaCI

To prevent foreign entities from achieving their goals, a Counterintelligence Program (CIP) proactively searches for and uses information from multiple sources. An effective CIP draws information from security programs and other internal systems, as well as from the U.S. Intelligence Community (USIC). Once this information is assembled, an effective CIP develops a coherent picture and crafts a strategy to prevent the foreign entity from successfully achieving its goals and minimizes the damage already done. An effective CIP conducts active analysis of available information, requires annual CI education for all employees, and provides a system for immediate referral of behavior with CI implications.

(U//FOUO) DHS-FBI-NCTC Bulletin: Building Security Measures May Hinder Emergency Response Efforts

DHS-FBI-NCTC-SecurityMeasuresResponse

Facility security measures, such as interior control points or exterior barriers, may require first responders to adjust normal protocols and procedures to operate rapidly during emergencies. The timeline below is an overview of attacks and plots against US-based facilities with varying levels of security. The diversity of tactics and targets used underscores the need for interagency exercises and training that incorporates multiple scenarios to account for building security measures likely to be encountered.

(U//FOUO) DHS-FBI-NCTC Bulletin: Extortion Schemes Use Telephony-Based Denial-of-Service Attacks

DHS-FBI-NCTC-TDoSExtortion

Since at least January 2012, criminals are using telephony-based denial-of-service (TDoS) combined with extortion scams to phone an employee’s office and demand the employee repay an alleged loan. If the victim does not comply, the criminals initiate TDoS attacks against the employer’s phone numbers. TDoS uses automated calling programs—similar to those used by telemarketers—to prevent victims from making or receiving calls.

(U//FOUO) DHS-FBI Bulletin: Compromises of Official Social Media Accounts Spread Disinformation

DHS-FBI-SocialMediaDisinfo

Malicious cyber actors have used compromised social media accounts to spread disinformation about alleged emergencies and attacks, most prominently through Twitter. Because it is difficult to determine the authenticity of a tweet, we anticipate malicious cyber actors will continue to seek to exploit Twitter and other social media platforms used by news organizations and public safety agencies to propagate disinformation.

(U//FOUO) DHS-FBI Suspicious Activity Reporting (SAR) Bulletin: Weapons Discovery

DHS-FBI-Weapons

Possession of large amounts of weapons, ammunition, explosives, accelerants, or explosive precursor chemicals could indicate pre-operational terrorist attack planning or criminal activity. For example, in preparation for conducting the July 2011 attacks in Norway, Anders Behring Breivik stockpiled approximately 12,000 pounds of precursors, weapons, and armor and hid them underground in remote, wooded locations.

Nationwide Suspicious Activity Reporting (SAR) Initiative Annual Report 2012

NSI-AnnualReport2012

Over the past year, the NSI PMO has continued its implementation efforts and outreach to NSI stakeholders to help ensure that law enforcement and homeland security partners are afforded another tool to help identify and prevent terrorism and other related criminal activity. The ongoing collaboration among DOJ, DHS, the FBI, SLTT partners, and the National Network of Fusion Centers has strengthened, allowing the NSI to expand its nationwide information sharing capability. As of March 2013, 73 fusion centers have met the requirements outlined by the NSI PMO to be fully NSI-Operational—an increase of 5 centers from the same time last year—and all 78 fusion centers now maintain the capability to contribute and share suspicious activity reports through the Shared Space or eGuardian. This expansion of the NSI has allowed the Federated Search Tool to be accessed by more trained users—increasing the number of searches to more than 76,400—and more than 25,900 Information Sharing Environment (ISE)-SARs had been submitted and shared by the end of March 2013. Further, with the support of the National Network of Fusion Centers, 46 states and the District of Columbia are participating in statewide implementation of the NSI; implementation efforts are currently under way in Guam, Puerto Rico, and the U.S. Virgin Islands to ensure a strengthened nationwide capacity for sharing ISE-SAR information.

(U//FOUO) DHS-FBI Joint Intelligence Bulletin: Nairobi Mall Attack and Al-Shabaab Threat

DHS-FBI-WestgateMallAttack

This Joint Intelligence Bulletin (JIB) provides information on the 21 September 2013 attack in Nairobi, Kenya likely conducted by al-Shabaab—an al-Qai‘da linked militant group based in Somalia. This JIB examines the ongoing incident and provides background on the threat from al-Shabaab. This JIB also highlights protective measures that can assist in mitigating threats in the United States using similar tactics and is provided to support the activities of FBI and DHS and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, as well as first responders and private sector security officials to deter, prevent, preempt, or respond to terrorist attacks in the United States or overseas targeting US interests.

(U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Sabotage/Tampering/Vandalism

DHS-FBI-Sabotage

Terrorists may engage in sabotage, tampering, or vandalism as part of an attack or to gain access to restricted areas, steal materials, or provoke and observe security responses. For example, the 1Oth edition of al-Qa’ida in the Arabian Peninsula’s Inspire magazine suggests torching parked vehicles and causing automobile accidents by using lubricating oil or nails driven through wooden boards as simple tactics to cause both casualties and economic damage.

(U//FOUO) DHS-FBI Bulletin: Impersonation Using Uniforms and Credentials

DHS-FBI-Impersonation

Impersonation by assuming the identity, behavior, or appearance of first responders can allow terrorists access to restricted or secure locations, including the scene of emergencies when unchallenged. This access can allow terrorists the ability to conduct pre-operational surveillance or carry out a primary attack or a secondary attack against first responders. The method of impersonation may not be limited to the use of uniforms, clothing, badges and identification; civilian vehicles may be accessorized to appear as legitimate emergency vehicles.

FBI Criminal Justice Information Services (CJIS) National Data Exchange (N-DEx) Policy Manual Version 3.0

FBI-NDEX-3.0

An updated policy manual for the FBI National Data Exchange (N-DEx) released August 28, 2013. The manual was updated to include substantial additions to the regulations governing use of information within the system and the maintenance of records for later auditing of law enforcement agencies’ access to the system.

(U//FOUO) FBI Cyber Division Advisory: Syrian Electronic Army Targeting of Social Media

FBI-SEA

The Syrian Electronic Army (SEA), a pro-regime hacker group that emerged during Syrian anti-government protests in 2011, has been compromising high-profile media outlets in an effort to spread pro-regime propaganda. The SEA’s primary capabilities include spearphishing, Web defacements, and hijacking social media accounts to spread propaganda. Over the past several months, the SEA has been highly effective in compromising multiple high-profile media outlets.

(U//FOUO) DHS-FBI Bulletin: Threats to Mobile Devices Using the Android Operating System

DHS-FBI-AndroidThreats

Android is the world’s most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture. Industry reporting indicates 44 percent of Android users are still using versions 2.3.3 through 2.3.7-known as Gingerbread-which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions. The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date.

(U//FOUO) FBI Cyber Division Bulletin: Advanced Persistent Threat (APT) Actors Targeting Aviation Industry

apt-cycle

Since June 2013, the FBI has observed advanced persistent threat (APT) actors’ increased interest in the aviation industry. APT actors have sent spear-phishing e-mails targeting individuals associated with the air travel industry. Some of the spear-phishing e-mails originated from a spoofed sender in an attempt to make the e-mail appear more legitimate. E-mail recipients should be aware of suspicious and potentially malicious e-mail attachments or links.

U.S. Government Foreign Telecommunications Providers Network Security Agreements

A collection of Network Security Agreements (NSAs) entered into with foreign communications infrastructure providers ensuring U.S. government agencies the ability to access communications data when legally requested. The agreements range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury. According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”

National Explosives Task Force Advisory: Fireworks as Improvised Explosive Device (IED) Components

NETF-Fireworks

Fireworks are a common component used in Improvised Explosive Devices (IEDs). The US Government is asking consumer fireworks retailers to be aware of this phenomenon and familiarize themselves with some possible indicators of suspicious activity. This list is not inclusive, nor is it intended to limit the lawful conduct of innocent persons. The totality of behavioral indicators and other relevant circumstances should be considered.

(U//FOUO) DHS-FBI Bulletin: Fireworks as Improvised Explosive Device (IED) Components

DHS-FBI-Fireworks

Recent incidents in the Homeland demonstrate that consumer fireworks—widely used during the upcoming 4 July 2013 celebrations—can be misused by criminals and violent extremists to construct improvised explosive devices (IEDs). Consumer fireworks are defined as devices that produce audible and visible effects by combustion, containing between 50-130 milligrams of explosive material. They are banned in Delaware, Massachusetts, New Jersey, and New York.

(U//FOUO) DHS-FBI Bulletin: Use of the Internet for Attack Planning

DHS-FBI-InternetAttackPlanning

Malicious actors may leverage the Internet to gain information against a potential target to support pre-operational planning efforts for kinetic or cyber attacks. Malicious actors can use Internet search engines for information such as maps, company photographs or blueprints, and gain additional details from social media sites and Web blogs. Some actors may use more sophisticated techniques—such as phishing, spear phishing, or actual penetration of an organization’s network or devices—which can be used to gather personal, sensitive, or proprietary data.