Two Auckland outfits are warning other New Zealand marketing agencies to tighten up security in the face of a new risk to their clients' money posed by Google Adword account hijacking.

Insight Online chief executive Kim Voon said digital agencies – which manage up to millions of dollars in digital advertising revenue – are exposed to having money siphoned out of their accounts when their clients' digital advertising campaigns are hacked.

"I've had a couple of reports already where Google Ads accounts have been hijacked and the links pointed towards some Ponzi scheme in Africa.

"Not only are revenues at risk of being misdirected, but client data is also vulnerable in this scenario," Voon said.

As more and more revenue is poured into digital marketing – data released from Standard Media Index (SMI) in February this year shows digital advertising spend topping $338,997,508 in New Zealand – the more likely it is that digital advertising accounts will become a higher priority target for cyber criminals.

Voon said that for most Google Premier Partner agencies, millions of dollars could be spread over hundreds of accounts – which means that "misdirected spending" or "siphoning" will be harder to spot.

"If you haven't already got insurance to cover advertising losses, you need to do that as a matter of urgency. Exposure is very high," he said.

"For example, your employee goes to a café and uses their non-secure network to access the Internet, that's a back-door security risk right there."

Voon also urged agencies to adopt two factor authentication (2FA), which is essentially two step verification as standard for Google accounts, Dropbox, Password Managers and any other business critical cloud services.

Two factor authentication involves, for example, logging into a laptop and then logging into an account. When that occurs, a code is sent to your mobile phone and you have 30 seconds to enter the code.

Director of Storm IMC Digital Marketing agency Ronan Nichol said many clients would have their credit cards linked to their Adword accounts, which puts those credit cards at risk – a lot of damage can be done before the bank puts a stop to it.

A spokeswoman for Netsafe said the agency had fielded no reports of Ad Words hacks.


Erica Anderson, a senior incident manager with the government's Computer Emergency Response Team (CERT NZ) did not report any specific Google Ad World related incidents either, but added:

"In our most recent figures, account compromise was the third highest category of incidents reported to CERT NZ. 71 reports of account compromise were received between April and June 2018."

When accounts are only secured using a password, an attacker can either try guessing your password, try passwords from previous data breaches, or try to trick you into giving them your password, for example in a phishing attack, she said.

"Your accounts are valuable. Some accounts, like Google accounts, can be linked to multiple other websites so if an attacker gains access to one account, they can easily access more. Some accounts may also store sensitive data, like client information or intellectual property.

"Accounts should be protected with two-factor authentication, particularly those which give access to multiple sites and services. When two-factor authentication is applied, even if an attacker had the password they couldn't access the account unless they had access to another form of authentication like an app on your phone or a hardware security key."