Hackers are much better at targeting than your marketing team

Source: Unsplash/Jefferson Santos.

This year is shaping up to be one of the most successful years for cyber hackers in Australia. The recent news cycle revealed a new victim daily: Optus, Telstra, Woolworths, Holiday Inn, Uber, Northface, Rockstar, VinoMofo and many more. Even Medibank has been compromised, and now it has been revealed that the company is the subject of a ransom demand.

Some affected companies have been criticized for their slow or unobtrusive response, leaving customers unsure of what action to take or failing to realize the enormity of the situation.

Meanwhile, hackers have access to the kind of data that many marketers would kill for, allowing them to create targeted scams that look incredibly genuine due to the sheer volume of accurate and current datasets. Rather than a scattershot approach where “customers” received something fishy from a bank they weren’t customers of (and might overlook), the latest batch of scams are incredibly targeted and hard to tell apart. reality.

Database degradation is a fact of marketing life. Marketers lament their churn and bounce rates, but imagine having a database so comprehensive and up-to-date, with such granular detail that you know everything about the customer, whether it’s their most recent information, his medical file, his financial situation. , purchase history and probably even what they ate for breakfast.

In fact, this level of granularity is normal for hackers, who steal astonishing amounts of customer data from multiple sources and can merge and cross-reference data sets before selling them on the dark web.

While genuine marketers would pay incredible sums for such data (legally obtained, of course), hackers seem content to sell it for mere buttons. Data stolen from MyDeal.com.au was tagged by a hacker who calls himself “Christian Dior” and sold within a day for a whopping $600. Meanwhile, the Optus hacker removed the data he stole from the sale.

So if hackers have the upper hand on data quality, it is definitely more profitable and less risky to be a marketer!

click game

The cost of damage to Woolworth-owned MyDeal will far exceed Christian Dior’s $600 sale, and the company will have to work hard to regain customer trust. Like other recent scams, the MyDeal hack was unsophisticated. The attacker entered his CRM system using a compromised login ID. Dior was even cheeky enough to do a media interview with Information Security Media Group on how they did it and provide security data (unpublished) including a network infrastructure map. Dior said: “Most of the access was obtained through the reuse of passwords. They [MyDeal] I didn’t even notice until we started [f***ing] with customer support tickets. »

Ultimately, scammers want the same thing marketers want when they send emails. According to James Linton, the notorious “e-mail prankster” who hacked into the White House and tricked the Trump administration: “[Scammers] want clicks, mostly. Click on their login page, click and open their attachment; their goal is clicks.

But now scammers have incredibly sophisticated datasets and are likely to be more successful than marketers. Scammers can now impersonate a trusted person or organization and ask them to perform tasks such as clicking a link, making a payment, or downloading a document. They achieve an increasingly accurate success rate simply because their datasets are up-to-date, accurate, and merged from multiple stolen lists.

While this is a victory for hackers and scammers, it is a massive loss for the organization they have usurped, leading to business continuity and legal liability issues, erosion of trust and damage to the reputation.

Protecting businesses and customers

The most imitated brand according to Cybersecurity Connect Australia is DHL, followed by Microsoft, WhatsApp, Google, and LinkedIn, and some of the most common scams are phishing, ransomware, CEO/CFO scams, and SMS scams. Over 84% of cyberattacks were delivered via email in 2021, up from 64% the previous year. As more people access email using their mobile phones, more hackers will take advantage of this attack vector.

Additionally, a new study from Positive Technologies found that in 93% of cases, threat actors (hackers) could infiltrate an organization’s network perimeter and gain access to local resources among financial organizations, energy companies, government agencies, IT companies and other industries. On average, hackers can break into a company’s internal network in just two days. It’s not just large organizations that need to be wary. According to the Australian Cyber ​​Security Centre, cyberattacks accounted for nearly half of all small business scams in 2020-21.

Not only do businesses need to ensure that their customers are informed when there has been a breach and informed about scams to watch out for, but it is essential that businesses of all sizes review their cybersecurity practices and educate their employees on the techniques pirates. CXOs and administrators should provide a clear strategy and vision for how the business can increase its effectiveness and efficiency in dealing with known threats while minimizing the risk of emerging attacks in the future.

According to Cybersecurity Minister Clare O’Neil: “This is the new world we live in. We are going to suffer relentless cyberattacks, basically from now on.

Since the breach of Optus by a hacker calling himself “OptusData”, the government has responded quickly. It hastily amended the Telecommunications Regulation Act 2021 to allow Optus breach-related information to be shared with financial institutions so they can implement enhanced safeguards and oversight.

He also created the Commonwealth Credential Protection Register to stop fraudulent use of credentials. The 100,000 compromised passport numbers exposed in the Optus breach have been added and can no longer be used with the document verification service.

There are still concerns about data security and whether Australian data protection laws are adequate. Given that we haven’t had any impactful changes in applicable privacy laws, I’m concerned that expedited changes to correct an event that brought the issue into the collective consciousness may lead to other issues later.

Comments are closed.