The recent account hack scam that affected social accounts for highly influential figures, including celebrities, politicians and business owners, has revealed one major theme: No one is exempt from malicious activity, especially account takeover. While we may not be able to control if a malicious actor chooses a specific account to victimize, we can prioritize efforts that minimize costly impacts of an account hijacking.
To many, account hijackings have become an unavoidable headache we need to accept and plan ahead for in order to maintain a defensive security posture. But, for an organization, what is the true cost of an account takeover?
The Secret: We Can’t Put a True Price Tag on an Account Takeover
The question of the cost of an account takeover is all relative to the goal of the attacker. Some want just to vandalize a popular account for bragging rights. Here, the attack itself is the ultimate goal. Alternatively, some attackers use account hijacking as a means to a larger, often more insidious end: either a full network breach or deeper data exfiltration. The cost of the attack is relative to what the attacker ultimately achieves and thus, what the victim ultimately loses. No matter, the one factor that we can control to best mitigate the damage in these high-stakes situations is how long it takes to remediate the threat.
Account Hijacking for Its Own Sake: Cybervandalism
The account takeovers that get the most attention are the ones where the attacker makes the most noise. These cybervandalism attacks are short and hard-hitting, usually only lasting a few days or hours for major accounts that might attract press, and days or weeks for less visible accounts – making social media accounts for influential figures a golden opportunity for a malicious actor.
ZeroFox customer experience indicates that accounts typically lose up to 5% of their followers during an account takeover. For accounts with a massive follower base, this can mean losing hundreds of thousands of followers. For growing brands with a smaller follower base, each follower is hard earned and considered even more valuable, making the loss sting that much more.
The cost of such an attack ultimately comes down to brand reputation damage. In a world where every customer is online and can be won and lost in the span of 140 characters, the cost of an account hack may mean a drop in engagement, less followers to convert to customers and, ultimately, an inability to fully maximize the return on your social media investment.
Account Hack As a Means to an End: Pivoting
The far more damaging account hijacking cases are those that aren’t trying to achieve bragging rights. Many attackers break into accounts in order to pivot and attack other employees, perhaps with critical access. Attackers also use the company’s account to subtly message followers to launch scams and phishing attacks. Others siphon off data and pull sensitive information from DMs. You rarely hear about these attacks because it’s in the attacker’s best interest to stay quiet.
In this case, the cost of the account hack attack is relative to whatever end goal the attacker achieves. This could be the multimillion dollar data breach or the countless hours spent supporting phished customers or much grander reputation damage caused by leaked data down the line. When the attacker pivots after the initial breach, the ultimate cost is often much much higher.
The Differentiating Factor? Response Time
The most successful account hijackers share a seemingly innocuous post on behalf of the influential figure and mimic the verbiage or graphics that appear on brand to exploit follower’s with their guard down. If the hijacked post contains a phishing link that doesn’t get taken down for several hours, that could lead to hundreds, thousands or millions of followers being hijinxed under a trusted brand name – leading to permanent damage to a brand’s reputation.
The impact expands beyond the scope of a security response to the threatening content. The longer a post sits without remediation, the greater drain on your wallet and resources. As more followers are put at risk, the longer your customer service team spends on the phone answering questions. As visibility for the breach increases, the effort of your marketing and public relations teams multiplies to mitigate reputation damage. While these impacts may not have an invoice attached, they create incalculable costs to your organization’s resources.
In the case of this recent major crypto-giveaway scam, several celebrities, politicians and business owners were victims of an account hijacking that falsely offered quick ‘money flipping’ financial gain via bitcoin payment. While the premise immediately sets off alarms for followers with security training, many were unaware and contributed to the bitcoin fund. Within about two and a half hours, the ZeroFox Alpha Team reported that the address linked within the hijacked posts made 12.81 BTC, which translates to roughly $120,000 USD.
The Bottom Line? An Account Hack Can Be Costly
Your social media account is a prime target for malicious activity. Even if the balance sheet isn’t drastically changed after an instance of cybervandalism, it’s difficult to put a price on the reputational damage to the brand and the psychological damage of all those affected by or involved in managing the event. The all hands on deck fire drill is nothing short of stressful and embarassing in the extreme, hurting morale and productivity and casting a dark blemish for months to come. The cost of a takeover results in more than hefty remediation fees – it’s a costly drain on your internal resources and reputation you’ve worked so hard to build. Those that survive best are the organizations with account takeover protection and defensive security tools that act quickly to remediate credible threats to their brand.
Originally published September 7, 2018, updated August 3, 2020