Cyber threat to digital agencies Google Adword accounts

30 October 2018

Two Auckland agencies are warning other New Zealand marketing agencies to tighten up security in the face of a new risk to their clients’ money posed by Google Adword account hijacking.

CEO of Auckland SEO marketing agency Insight Online, Kim Voon, said today that digital agencies – which manage up to millions of dollars in digital advertising revenue – are exposed to having money siphoned out of their accounts when their clients’ digital advertising campaigns are hacked.

“I’ve had a couple of reports already where Google Ads accounts have been hijacked and the links pointed towards some Ponzi scheme in Africa.

“Not only are revenues at risk of being mis-directed, but client data is also vulnerable in this scenario,” Voon said.

As more and more revenue is poured into digital marketing – data released from Standard Media Index (SMI) in February this year shows digital advertising spend topping $338,997,508 in New Zealand – the more likely it is that digital advertising accounts will become a higher priority target for cyber criminals.

Voon said that for most Google Premier Partner agencies, millions of dollars could be spread over hundreds of accounts – which means that ‘mis-directed spending’ or ‘siphoning’ will be harder to spot.

“The sheer volume of accounts and associated spend makes digital advertising agencies a lucrative target,” said Voon.

“If you haven’t already got insurance to cover advertising losses, you need to do that as a matter of urgency. Exposure is very high. For example, your employee goes to a café and uses their non-secure network to access the Internet, that’s a back-door security risk right there.”

Voon also urged agencies to adopt two factor authentication (2FA), which is essentially two step verification as standard for Google accounts, Dropbox, Password Managers and any other business critical cloud services.

Two factor authentication involves, for example, logging into a laptop and then logging into an account. When that occurs, a code is sent to your mobile phone and you have 30 seconds to enter the code.

Usually this only has to be done only once because after set-up, logging in from the same location on the same browser, laptop and phone will not trigger an authentication code – if nothing has changed. Logging in from a different location, however, will require going through the process.

“It’s very easy to install. Download the authentication app from Google and follow the installation steps. It’s a low cost of compliance for a three-fold increase in security,” Voon said.

Director of Storm IMC Digital Marketing agency Ronan Nichol said many clients would have their credit cards linked to their Adword accounts, which puts those credit cards at risk – a lot of damage can be done before the bank puts a stop to it.

“The minimum step is two-factor verification, but I also have two-step verification back-up codes. The first thing a hacker does is lock you out of your accounts. Back-up codes, which we print out and keep secured in a safe, will allow you to login to the accounts and take back control,” Nichol said.

Ends.

© Scoop Media