Intercast March 2025 Newsletter

Welcome to the March 2025 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.  In This Issue:

  • Client Insight
  • Gmail Ditching SMS For Two-Factor Authentication
  • Ransomware Takings Dropped in 2024
  • Eleven11bot Breaks Botnet Records
  • HR Tech World Rocked By Scandal
  • Best of the Rest

Client Insight

 

Gmail Ditching SMS For Two-Factor Authentication

Google is to switch from SMS messages to QR codes when running two-factor authentication checks in Gmail. It says the SMS approach is no longer effective and could even undermine security.

It’s not a single issue that prompted the change. Instead Google says a range of factors mean SMS is no longer a sufficient approach. These include security risks as basic as an attacker being able to steal a phone, trigger an SMS message, and see the message with the authentication code without needing to unlock the phone. Google’s also responded to an increasing pattern of remote “SIM swapping” that means authentication codes can be intercepted.

In other cases, the account holder isn’t the target. Instead attackers abuse the two-factor authentication to trigger huge numbers of SMS message deliveries. A complex and fraudulent setup involving rogue mobile network operators means the scammers rake in fees for carrying the text messages. Social networking platform X claims such scams have cost it $60 million a year sending pointless text messages.

 

Ransomware Takings Dropped in 2024

Finally some good news on ransomware: the estimated total take in 2024 was $814 million, a 35% drop from the $1.25 billion in 2023. The fall was even more dramatic when looking at the second half of last year.

The estimates come from Chainalysis, which looks at cryptocurrency payments to accounts known or believed to be used by ransomware gangs. The methodology means the figures may not be precise, but the trend is likely accurate.

Logical reasons for the drop would include attackers being less successful, victims having better recovery plans that reduce the need to pay up, or success for programs and laws that discourage or outlaw making ransomware payments, particularly for public bodies.

However, Chainalysis believes there’s a simpler explanation. It says law enforcement attempts to disrupt or track down attacks are having a meaningful effect. It’s not that ransomware gangs are less motivated to do the deed. Instead they are being more selective in their attacks, making sure the potential reward is enough to justify the risk, rather than going for a broader base of multiple victims.

 

Eleven11bot Breaks Botnet Records

A botnet has carried out a DDoS attack measured at 6.5 terabits per second, reportedly a new record. Dubbed Eleven11bot, it far exceeded the previous highest recorded speed of 5.6 terabits per second set just weeks earlier.

Unlike the popular image of hijacked personal computers, Eleven11bot is made up largely of webcams, security cameras with remote access, and the associated digital video recorders. That makes sense as such devices are designed to be reliably online 24/7, but an increase in their data transfers wouldn’t be immediately noticeable.

While the size of the attacks themselves (in data terms) isn’t disputed, there’s some controversy over the number of devices in the botnet. An official advisory from the New Jersey government’s cyber division said 86,000 devices were involved. Other experts say that likely involves errors caused by misreading data present on similar-but-unaffected devices  and the real number is in the low thousands.

 

HR Tech World Rocked By Scandal

HR tech and SaaS isn’t usually a world of scandal and intrigue, but it’s all kicking off in a battle between two major companies. Rippling is suing Deel in a case which appears to involve both internal Slack channels being turned from  an espionage tool into a trap.

We’re deliberately being careful in how we describe the claims as what did and didn’t happen looks set to be the subject of a courtroom argument. The key point is that Rippling implies rivals Deel used workplace espionage to attempt to poach both staff and clients. One Rippling employee in Dublin was said to be carrying out suspicious searches.

Rippling then informed Deel’s management about a supposed Slack channel contained details about former Deel employees. The channel didn’t exist, but the under-suspicion Rippling employee searched for it. Rippling argues that not only proves the employee was a spy, but that he was working directly with Deel management.

That’s just the tip of the iceberg, in a story which includes the alleged spy locking himself in a bathroom when court-appointed lawyers showed up, and both companies accusing the other of international sanctions violations. Deel has denied all of the claims of wrongdoing and says it may make counter-claims.

It’s certainly a popcorn-worthy drama, but it’s also an important lesson about securing internal communications, particularly on cloud-based systems.

 

Best of the Rest

Here’s our round up of what else you need to know:

 

Back to Blog