- Marketing automation platforms are susceptible to DoS attacks
- A large-scale marketing automation DoS has never been reported
- Lack of occurrence does not mean lack of potential
When you type a URL into your computer’s browser or click on a Web site link, you expect the Web page to quickly load. Unfortunately, Web pages sometimes take a long time to load (7 seconds, 15 seconds, 48 seconds). This latency can occur naturally, for example, when a site is overrun by traffic generated from a major advertising campaign (e.g. a Super Bowl commercial) or when a link embedded in a popular (separate) Web site drives a massive increase in traffic (see Slashdot Effect). This latency can also be malicious – an attack to limit or prevent a system from achieving its intended function. This is called a denial-of-service (DoS) attack.
Although a large-scale marketing automation platform (marketing automation) DoS has never been reported, marketing automation platforms are susceptible to DoS attacks – just like Web sites. Lack of occurrence does not mean lack of potential. I don’t think all organizations need to be concerned about a marketing automation DoS attack, but some organizations – especially those whose Web sites have been subjected to a DoS attack – should consider this as possibility. And remember that there are a number of potential groups that could carry out such an attack, from disgruntled employees and customers to unethical competitors.
So, let’s imagine an attack that is a variation on the DoS attack: The attacker submits a large volume of leads to negatively impact the organization – anywhere from a few dozen to a few hundred each day. The individual or group might target the organization’s online registration forms by going though its Web site and identifying most of its registration pages. Looking at the HTML source code for each form, they could identify all of the form fields (including system values) and pick list values for each field. With this information, a large list of counterfeit contact records (e.g. first name, last name, phone, email address), proxy server addresses, a couple of computers and some light programming…whammo, an attack is now in the making!
This attack would make it difficult for the affected organization to distinguish real leads from fake leads and lead to a number of negative effects:
Sales spending a significant amount of time following up with fake leads
Sales not following up with real leads (due to all of the noise), thus hurting the sales pipeline
A decrease in email deliverability brought on by an increase in bounced email addresses and spam reports (assuming the organization emails fake leads)
Degradation in the quality of Web site and generation reports
The question is, what safeguards are currently available (or in place) to make this scenario less likely? For example, to what extent are CAPTCHA options available and in use? To what degree are form submissions monitored to highlight “unusual” occurrences? Have you discussed this potential issue with your IT department? If your organization has discussed scenarios like this, put in place preventative measures.
Is this something marketing organizations should be thinking about? Let us know in the comments. Also, keep in mind that though I focused this post on marketing automation, event management, email service providers, trouble tickets, blog platforms and other systems all have online forms, too – and are all also susceptible to attack.