A (0:01)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution. It's built for performance and scale. You can find them at meter.com CST HSBC blocks even legit side loaded apps with its banking app. Fake Windows Blue Screen of Death is used to load MalW. More compromised Chrome extensions have been discovered in the Chrome Web store that have been there for years, and a new report says that despite major law enforcement takedowns, the number of ransomware victims rose alarmingly in 2025. This is cybersecurity Today and I'm your host Jim Love. HSBC's mobile app is blocking customers who have a Bit Warden installation from from the F Droid store on the same device, effectively treating sideloaded apps as unacceptable on devices used for its banking app. This surfaced after users found they could no longer install side loaded versions of Bitwarden, a popular open source password manager, despite the tool itself being widely trusted. As reported by the Register, the issue isn't Bitwarden, but it's how it's installed sideloading. It uses F Droid, an alternative Android app catalog focused on open source software. But in HSBC's perspective, that still counts as sideloading, bypassing Google Play's security checks, enterprise controls, and managed update pipelines. That's a defensible security stance. Sideloaded apps can miss updates, evade integrity checks, or be swapped for modified versions without triggering alerts. On a device used for sensitive work or access to banking systems, that risk is a little hard to justify. You can easily imagine the backlash if a bank ignored it and devices were compromised. Where this gets more complicated is the broader move towards alternate app sources. In Europe, for instance, the digital markets now forces companies like Apple and Google to to allow alternative app stores. From a regulatory standpoint, that's legal. From an enterprise security standpoint, it's still sideloading, and banks are making it clear which side of that line they're on. A new social engineering attack is abusing one of the most familiar sites in computing the Windows Blue Screen of death. According to reports from bleeping computer, attackers are displaying convincing crash screens inside a web browser and making users believe their systems have suffered a serious failure. The technique is part of what's being tracked as a click fix campaign. Victims see what looks like a frozen system and an urgent error message, followed by instructions to run a command or an installer, often through PowerShell, to fix the problem. And that step doesn't repair anything. Instead it installs malware. There's no software exploit here, the browser hasn't crashed, and Windows hasn't failed. The attack works, though, because it leans on habit and stress. Users have been trained for decades that a blue screen means something has gone badly wrong, and the instructions are written in just enough technical language to make this feel plausible. Bleeping computer reports that the payloads can include remote access tools and information stealers, giving attackers persistent access once the user complies. Because the install is user initiated and uses powerful system tools, many traditional security controls never fire. What's notable is how well this fits a broader pattern. Even as Windows 11 begins retiring the classic blue screen in favor of a new black crash screen, attackers are still exploiting the muscle memory that it created. This comes as more and more attacks are moving away from breaking systems and towards persuading people. Fake update prompts, fake support warnings, fake errors. The technology and the scenarios keep changing, but the psychology stays the same. We've talked before about the risks that are hiding inside browser extensions, and Google has repeatedly said it's tightened review and cleanup inside the Chrome Web Store. But this week a report shows that at least two additional compromised extensions have been in the store for years. Security researchers at Socket uncovered two malicious Chrome extensions called Phantom Shuttle. They quietly routed users web traffic through attacker controlled proxy servers. The extensions were listed in Google's official store and had been active since at least 2017, stealing credentials and session data until they were finally removed after disclosure. The key question is how they survived for so long. Google has said that extensions are reviewed not just when they're first published, but also when they're updated, because a common tactic was to post a legitimate looking app, build trust, and then introduce malicious behavior in later updates. Exactly the kind of trick these checks are meant to catch. Regardless of the process and the cleanups that Google has promised they've done, these have failed to detect all the extensions they need to remove. Now. That doesn't mean the Chrome Web Store is unsafe. It's still the best place to get your extensions from, but it's not perfect if even Google can miss extensions that sit in its store for years. Trust in app stores may be necessary, but it can't be absolute. And finally, if you followed the headlines in 2025, it felt like a year of ransomware gang takedowns and disruptions. But MsSoft's new State of Ransomware in the US 2025 report says the damage kept climbing anyway. MsAsoft traced leak site victim claims using two independent data sets RansomLook IO and Ransomware Live both show that despite a number of listed gangs being taken down or some that may have closed because of LE legal pressure, the number of claimed victims rose from roughly 5,400 in 2023 to more than 8,000 in 2025. That's a jump of about 53 to 63% over those two years, one reason disruption often turns into churn rather than total erasure. Emsisoft found that even with the takedowns, the number of active ransomware groups climbed into the triple digits in 2025, noting a pattern where pressure on big crews can drive splintering and rebranding, and sometimes the comeback returns with the same branding. Klopp is a good example. Ukrainian authorities said they arrested six suspected Klopp, and we've done stories from Klopp's move it exploitation in 2023 up to more recent attacks in the past year. So takedowns matter and they do disrupt real operations. But 2025 was another reminder that ransomware is an ecosystem. And sometimes it's like the Energizer Bunny. When one brand disappears, affiliates and Playbooks can pop up under a new name. And sometimes the original name just keeps going and going and going. And that's our show. Check out our Month in Review show this weekend with our regular panel if you're interested in hearing us tackle some of the big stories and issues from the past few weeks. Finally, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, they build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices to warehouses to large campuses and even to data centers. Book a demo now@meter.com CST. That's M E T E R COM CST. I'm your host Jim Love. Thanks for listening.