Social media accounts are one of cybercriminals’ favorite thing to hack. It’s relatively easy, they get lots of attention and they earn bragging rights. We’ve all seen a celebrity or brand who’s suffered from account hijacking, the list is almost too long to recount, but it includes the likes of Taylor Swift, the Associated Press, HBO, NFL, Delta Airlines, CENTCOM and many many more.
To many, account hijackings have become another major inevitable headache we all simply need to accept in the social media age. But, for an organization, what is the cost of a takeover? Are they a nuisance or something that requires legitimate protection?
It’s All Relative
The question of the cost of an account takeover is all relative to the goal of the attacker. Some want just to vandalize a popular account for bragging rights. Here, the attack itself is the ultimate goal. Alternatively, some attackers use account hijacking as a means to a larger, often more insidious end: either a full network breach or deeper data exfiltration. The cost of the attack is relative to what the attacker ultimately achieves and thus, what the victim ultimately loses.
Account Hijacking for Its Own Sake: Cybervandalism
The account takeovers that get the most attention are the ones where the attacker makes the most noise. These cybervandalism attacks are short and hard-hitting, usually only lasting a few days or hours for major accounts that might attract press, and days or weeks for less visible accounts.
ZeroFOX’s experience says that accounts typically lose up to 5% of their followers during an account takeover. For large brands, this can mean losing hundreds of thousands of followers. For smaller brands, each follower is hard earned and generally more valuable, making the loss sting that much more.
The cost of such an attack ultimately comes down to brand reputation damage. In a world where every customer is online and can be won and lost in the span of 140 characters, the cost of an account takeover may mean a drop in engagement, less follower to convert to customers and ultimately an inability to fully maximize the return on your social media investment.
Account Hijacking as Means to and End: Pivoting
The far more damaging account hijacking cases are those that aren’t in it for the bragging rights. Many attackers break into accounts in order to pivot and attack other employees, perhaps with critical access. Attackers also use the company’s account to subtly message followers to launch scams and phishing attacks. Others siphon off data and pull sensitive information from DMs. You rarely hear about these attacks because it’s in the attacker’s best interest to stay quiet.
In this case, the cost of the attack is relative to whatever end goal the attacker was going for. This could be the multimillion dollar data breach or the countless hours spent supporting phished customers or much grander reputation damage at the hand of leaked data down the line. When the attacker pivots after the initial breach, the cost is often much much higher.
One of the more insidious, longer lasting costs of an account hacking is the long-term SEO damage. When a major account is hacked, it attracts the press. For marketing and security teams scrambling to clean up this mess, this can be particularly painful. Even once the account has been regained and the offending tweets deleted, the articles about the attack live on as an irreparable flashing neon sign that won’t go away.
From this author’s computer, with cookies and browser history cleared, the Google search “associated press twitter,” a search query that an average user would reasonably use to check on the AP’s most recent news, still returns a post about their infamous account hijacking on the first page of results: “Video: Associated Press account hacked.” The account compromise in question occurred in early 2013. This cannot be understated: the compromise itself only lasted hours, and the infamous tweet was identified within minutes, but the SEO damage of negative press on the top page of Google has persisted for the better part of a decade. Very little things have that staying power in our manic digital age, and SEO damage is notoriously difficult to mitigate.
The risk of SEO damage is unique to large organizations who would garner press attention if their accounts were hacked. In fairness, the AP hack was one of the earliest examples of account hijackings, had serious consequences — the DOW dropped nearly 150 point and momentarily wiped out billions in market value — and featured a particularly insidious bit of clickbait. Some account hijacking is more obviously juvenile, banal or otherwise innocuous, rendering it not substantial enough for serious press attention. However, as the AP example suggests, a moderately determined attacker can do years worth of damage with a single tweet.
Account hijackings are not fun. Even if the balance sheet isn’t drastically changed after an instance of cybervandalism, it’s difficult to put a price on the reputational damage to the brand and the psychological damage of all those involved in managing the event. The all hands on deck fire drill is nothing short of stressful and embarassing in the extreme, hurting morale and productivity and casting a dark blemish for months to come. The cost of a takeover in the mind of every marketer is not measured in dollars and cents but sleepless nights and chaotic days.