“Growth Hacking” has become a popular term over the last decade, especially the last five years. It’s now completely normal to see jobs being advertised as “Growth Marketer Wanted”, etc – but the term has more than a simply connection to its’ original “hacker” connotation in my opinion.
I feel somewhat qualified to write this post because I am a happy and content blend of both Cybersecurity Professional (CEH, Security+ Certified) and am also a qualified and active Growth Hacker and SEO guy in Hong Kong.
I’ve worked for both camps and as every year goes by I notice the similarities between the two disciplines getting closer and closer.
Slow Undetected Scraping
….as a Growth Hacker…
In Growth Hacking, we scrape vast amounts of data from resources such as LinkedIn, Facebook, Instagram, Pinterest, Quora, etc. In Cybersecurity, a Penetration Tester (or “Ethical Hacker”) does precisely the same but for slightly different reasons.
Scraping data is a violation of the terms of service for social media giants like LinkedIn and Facebook – but doing so is not illegal as far as I can tell. As a result of this these companies make huge efforts to deter growth hackers and data scrapers from accessing their data. They do this by detecting patterns and sensing “non-human” behaviors.
For example, LinkedIn is notoriously difficult to scrape in the sense that their systems can easily pick up non-human activity, so the trick is to delay your scraping actions, i.e. scrape a profile or a company page once every minute, or once every 62 seconds.
Why 62 Seconds?
Because the programmers have likely said, “ok, anything under a minute, (60 seconds) is probably not a human”, so therefore, set your bot to work slightly over a minute.
As soon as non-human behavior is detected then the IP can be blacklisted or put on warning and every time an HTTP request comes in then they can, and often do, block the IP origin.
…as a hacker…
Hackers (in the original “hacking” sense of the word) also use almost identical techniques to procure data. A “black-hat” hacker would do so using proxies and anonylizing their IP addresses, whilst the”white hat” hacker would be performing a penetraton test or vulnerability scan under permission so anonymising their IP would not be necessary.
In any event, the logic is identical.
Say, for example, that you are enumerating a target or scanning for open ports using a tool like nmap, then the principles are very similar. Indeed, a successful hacker and a highly skilled at that will slowly scan a network by sending pings s-l-o-w-l-y that will not trip any firewalls or other security devices.
Using Proxies
…as a Growth Hacker…
Every growth hacker will have multiple proxies.
The best proxies to use are mobile IP addresses because they are (currently) more trusted than static/residential proxies in my opinion.
Using proxies is a must when it comes to data-scraping and any form of growth automation. As soon as the social media platform (for example) or even Google for that matter, detects that their servers are being hit multiple times in seconds then they’ll block your IP address – hence the use of proxies and being able to rotate them.
There are hundreds of different proxies providers but let’s just summarize by saying that if you don’t use proxies as a growth marketer then you’ll likely not get very far.
…as a hacker…
Evading capture is the name of the game as a hacker.
Using proxies to “hop” your real location is an absolute must when it comes to hacking systems (either as an Ethical Hacker or Black Hat).
The systems are the same as are the processes; the only exception might be that the growth hacker will use their own credit card when purchasing proxies (or another identifiable payment form) whereas the hacker will almost certainly use some form of cryptocurrency.
Social Engineering
…as a growth hacker…
Fake social media accounts are a must when it comes to any form of growth marketing. A growth hacker will have dozens (even hundreds) of social media accounts that scrape and disseminate marketing messages.
Why does a growth hacker needs dozens (or hundreds) of social media accounts? For the simple reason that the accounts will get burned or discovered and you’ll be left with nothing.
The clever growth marketer would never use their own Facebook, Instagram or LinkedIn profile and use dozens of other accounts (using proxies) to either scrape or perform other mass-marketing activities.
…as a hacker…
Social Engineering is huge.
From the physical point-of-view all a hacker needs to do is put on a high-visibility shirt, don a hardhat and hold a clipboard and they’ll be able to enter many high-security buildings. Once inside that building then all they need do is place a USB into a machine and, in theory, as long as that network is inside the DMZ then you’ll be good to go!
Being able to spoof and punk your victim is critical when it comes to hacking. Phishing emails are being able to enter RAT’s on victims computers is wholly dependent on the hacker convincing their victim, via social engineering, to take any action “that they shouldn’t”.
Google Dorks!
…as a growth hacker…
This is a major similarity.
Think about it – for scraping data from websites you can search by keyword or by what is in the “title” of the meta tag (“title tag”) or the keyword within the actual “URL”, like this:
site:example.com intitle:hacker OR inurl:hackerFor those using scraping tools like Scrapebox this search string will look very familiar. Typically I will run a scan using the a string like the one I have written above for hundreds (if not even thousands) of websites within Google’s search engine.
Most of the time these scans are highly effective and generate the desired results.
In the above example you’d get the actual full path URL’s of the websites that contained the keyword: “hacker”.
You’d absolutely have to use proxies to run a scan like the one I have mentioned above; Google will kick you off within a matter of seconds once they see you bombard their servers with requests.
This post is not finished – instead, when more synergies come to me I will add them here.
…as a hacker…
Google dorking is a requisite for a hacker of any colored hack.
The premise is exactly the same, you are using a search engine, like Google, to perform multiple searches on your behalf for vulnerabilities or other data that has been unwittingly left on a server.
Shodan is a great example of a ton of pre-built Google Dorks that scan the web for vulnerable webcams, equipment, and computers – all done via the signatures that they leave online.
(Growth) Hacking Tools
We all need tools to do our job.
…as a growth hacker…
There are a plethora of growth hacking tools on the market. In fact, you’d be really against it if you didn’t have any tools to use.
Some tools that I like and use, include:
- Scrapebox
- Xenoposter
- Phantombuster
- OctopusCRM
- Screaming Frog
- HREFS
…and many others.
All of these tools work within the same principles as the tools listed in my hacking tools section of this site.
In fact! I’ve written a post on some of the SEO hacking tools that come bundled with Kali Linux. The principles are the same, you use code (mostly Python) to automate tasks that scrape data and execute commands on your behalf.
There are hundreds thousands of growth hacking tools on the market, some are fantastic, others just disappear over time; but in any event, they help us do our job!
If you can think of other similarities between “hacking” in the information sense of the word and “growth hacking” in the marketing sense of the word please drop a comment below!
Recent Posts
BuiltWith, which I use via its' Chrome browser extension is a useful tool. Why? Because you can see what tech a website is using. The types of data you can find out about include: Their...
This is promoting a paid service (I'm not an affiliate for this product) but anyway - here it is! Just shy of a million individuals are available to advertise your brand for USD $75 each month if...