May 20, 2024 A ransomware gang claims it hit a Canadian internet provider.

Welcome to Cyber Security Today. It’s Monday May 20th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.

It’s a holiday Monday in Canada today. Thanks for tuning in on this long weekend.

The Medusa ransomware gang says it stole 274 GB of data from a Canadian internet provider called Comwave. That’s according to Brett Callow, a threat researcher with Emsisoft. Comwave is an internet, phone and TV provider that was bought in November by cable giant Rogers Communications. In response to a request from me for comment, Comwave said that as soon as it became aware that a bad actor was attempting to disrupt service it took immediate action to protect customers and systems. Rogers systems are separate from Comwave and aren’t affected, Comwave said. The spokesperson didn’t respond to a question on whether employee or customer data was copied.

Canadian retailer London Drugs has acknowledged to CBC News that some personal information of employees was stolen in last month’s cyber attack. The company didn’t say how many staffers are affected. This comes after the company said a week ago that no customer information had been compromised. The Western Canadian chain’s 79 stores are back open.

Searching the internet for the WinSCP file transfer or PuTTY telnet utilities? Don’t be tempted by the first thing that comes up in a search. It could be a malicious ad that leads to the installation of malware. That’s according to researchers at Rapid7. These ads have been appearing since March. On a good search engine they will be marked as ‘sponsored’ or ‘advertising.’ But some people in a rush miss those signs. There’s another thing they don’t see: Mis-spellings of the addresses of internet sites. So in this case one of the fake PuTTY download pages victims get directed to spells the utility with three “t’s.” Read the URL fast and you don’t see it. Unfortunately the rules running the internet allow this sort of scam. The lesson: Think before you click on any search engine result.

The crooks behind the Grandoreiro malware that steals bank login credentials are widening their targets. Until recently the malware was focused on Spanish-speaking countries, particularly Latin America, Spain and Portugal. However, since March IBM researchers have seen email campaigns going after people in Europe, Central and South America, Africa and Indo-Pacific countries. This broadening of targets is likely linked to the arrest in January of five people in Brazil who allegedly were the administrators of the operation. Victims get email messages claiming to be from government departments demanding money for unpaid taxes. People are urged to click on an attachment to see an invoice or the demanded fee. But this triggers malware that collects bank usernames and passwords. If a victim uses Microsoft Outlook the malware also uses their system to send out more phishing messages. IT staff need to warn employees — again — to be careful with email messages with attachments and consider blocking certain domains listed in the IBM report.

Separately, researchers at Cyble report the discovery of a new Android malware that also steals bank login credentials. It pretends to be a Google Play update app. The researchers call it “Antidot.” Victims who fall for installing the app don’t realize they’ve been infected because the malware puts an overlay on top of their usual mobile bank login page. That overlay captures the user’s password when they log in. One tip this is malware: On installation the victim is asked to allow the app to access Android’s Accessibility settings. Victims get hit when they download apps from email messages, text messages or any web sites other than official app stores. The safest place Android device users can get an app is the Google Play store. The safest place Apple device users can get an app is the iOS store.

Finally, if you haven’t been keeping up, Google last week released the third update for its Chrome browser in seven days to close newly discovered zero day vulnerabilities. You should be running a version that starts with 125 and ends with .61

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.