Why hackers are much better at targeting than your marketing team

This year is shaping up to be one of the most successful years for cyber hackers in Australia. The recent news cycle has revealed a new victim daily: Optus, Telstra, Woolworths, Holiday Inn, Uber, Northface, Rockstar, VinoMofo and more. Even Medibank was compromised, and now it’s been revealed the company is subject to a ransom demand.

Some companies affected have been criticised for a slow or understated response, resulting in customers unsure of what action to take or not realising the enormity of the situation. 

Meanwhile, hackers have access to the type of data many marketers would kill for, allowing them to create targeted scams that look incredibly authentic because of the sheer volume of accurate and current datasets. Rather than a scatter-gun approach where ‘customers’ received something dodgy from a bank they weren’t a customer of (and could ignore), the latest batch of scams is incredibly targeted and challenging to differentiate from the real thing. 

Database decay is a fact of marketing life. Marketers bemoan their churn rates and bounce-backs, but imagine having a database so comprehensive and current, with such granular detail that you know everything about the customer — whether that’s their most up-to-date contact details, their health records, financial status, purchase history and probably even what they ate for breakfast.

In fact, that level of granularity is par for the course for hackers, who steal astonishing amounts of customer data from multiple sources and can merge datasets, and cross reference before selling them on the dark web. 

While genuine marketers would pay incredible sums for such data (legally obtained, of course), the hackers seem content to sell them for mere buttons. The data stolen from MyDeal.com.au was listed by a hacker who calls themself “Christian Dior” and sold within a day for a paltry $600. Meanwhile, the Optus hacker withdrew the data they stole from sale.

So while hackers have the upper hand on data quality, it is definitely more profitable and less risky to be a marketer!

Game of clicks

The cost in damages to Woolworth’s owned MyDeal will far exceed Christian Dior’s $600 sale, and the company will need to work hard to regain customer trust. Like other recent scams, the MyDeal hack wasn’t sophisticated. The attacker got into its CRM system using a compromised login credential. Dior was even cheeky enough to do a media interview with Information Security Media Group on how they did it and provide (unpublished) security data, including a network infrastructure map. Dior said: “Most of the access was gained from password reuse. They [MyDeal] didn’t even notice until we started [f***ing] with customers’ support tickets.”

Ultimately scammers want the same thing as marketers when they send out emails. According to James Linton, the famous ’email prankster’ who hacked the White House and fooled the Trump Administration: “[Scammers] want clicks, for the most part. Click through to their login page, click and open their attachment; their goal is clicks.”

But now scammers have unbelievably sophisticated datasets and are likely to succeed more than marketers. Scammers can now accurately impersonate a person or organisation people trust and ask them to carry out tasks like clicking a link, making a payment or downloading a document. They achieve an increasingly accurate success rate, simply because their data sets are current, accurate, and merged from multiple stolen lists.

While that’s a win for hackers and scammers, it’s a massive loss for the organisation they have impersonated, resulting in business continuity and legal liability issues, eroded trust and reputational damage.  

Protecting businesses and customers

The most impersonated brand according to Cybersecurity Connect Australia is DHL, followed by Microsoft, WhatsApp, Google and LinkedIn, and some of the most common scams are phishing, ransomware, CEO/CFO scams and SMS scams. More than 84%t of cyber attacks were distributed via email in 2021, up from 64% the year before. As more people access email using their mobile phones, more hackers will take advantage of this attack vector.

Further, a new study from Positive Technologies discovered that in 93% of cases, threat actors (hackers) could infiltrate an organisation’s network perimeter and gain access to local resources among financial organisations, energy companies, government bodies, IT businesses, and other sectors. On average, hackers can penetrate a company’s internal network in just two days. It’s not just large organisations who need to beware. According to the Australian Cyber Security Centre, cyberattacks accounted for nearly half of all small business scams in 2020-21. 

Not only must companies ensure their customers are aware when there has been a breach and educated on what scams to look out for, it’s critical businesses of all sizes review their cybersecurity practises and educate their employees on hackers’ techniques. CXOs and directors must provide a clear strategy and vision about how the business can increase its effectiveness and efficiency in dealing with known threats while minimising the risk of emerging attacks moving forward.  

According to Cybersecurity Minister Clare O’Neil: “This is the new world that we live in. We are going to be under relentless cyber-attack, essentially from here on in.” 

Since the Optus breach by a hacker calling themselves “OptusData”, the government has moved swiftly to respond. It hastily amended the Telecommunications Regulations 2021 law to allow the sharing of information related to the Optus breach with financial institutions so they could implement enhanced safeguards and monitoring.

It also created the Commonwealth Credential Protection Register to stop the fraudulent use of ID information. The 100,000 compromised passport numbers exposed in the Optus breach were added and can no longer be used with the Document Verification Service.

There are still concerns over data security and if Australian data protection laws are adequate. Given we haven’t had any impactful change in privacy laws that are enforceable, I worry that fast-tracking changes to patch an event that has brought the issue into a collective consciousness may lead to further problems down the line.