Fake news has been in the headlines a lot lately, after becoming a major topic of discussion during the recent U.S. presidential election. What many people might not realize—and what IT and security executives need to think about—is the security implications of fake news sites.
These sites are designed to attract as many visitors as possible in order to drive up online ad revenues. But they can also be used as a way to lure unsuspecting users into becoming victims of attacks such as phishing, malware and denial of service (DoS). This can have a broad impact on organizations, considering how damaging these attacks can be when they get out of hand.
What makes fake news content so worrisome from a security and privacy standpoint is that social media sites such as Facebook and Twitter can help spread viewership of such content extremely quickly. Companies such as Facebook and Google are taking steps to address the issue of fake news content, but the problem is pervasive and the security threats are real.
Fake news presents yet another way for cyber criminals to launch phishing, malware and other attacks, much like email and instant messaging have served as delivery mechanisms for these threats over the years.
In a recent post, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a cyber security think tank, noted that fake news lures “range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target’s LinkedIn profile, to typo-filled mass-spam.” But the focus of every social engineering campaign is to entice a target demographic of users to share information, open an email, download an attachment or visit a particular site, he said.
“A single click can deliver a devastating malicious payload that will haunt an organization for years to come,” Scott said. “Advanced persistent threat [APT] groups are sophisticated adversaries with access to significant resources that are capable of launching sustained dedicated attack campaigns.”
A lure based around fake news has a significant chance of undermining targets’ mental defenses and cyber-hygiene training, Scott said. “Victims interact with news lures for several reasons, which include a drive to be ‘up-to-date’ or current; a sense of urgency; socio-political polarization; curiosity; or fear,” he said. “The most effective lures either incorporate a real news article as an attachment, as a malicious link to a compromised site, or as a tantalizing banner bordering an article tailored to the potential victims.
The post concludes by stating that cyber threat actors “are actively and aggressively weaponizing information in order to deliver malicious payloads that parasitically infest networks and that lead to the theft of intellectual property” and other threats. “Make no mistake, cyber adversaries will continue to utilize news and fake news lures in their social engineering campaigns,” he said. “As an increasing number of adversaries begin to capitalize on news and fake news, the lures will continue to become more sophisticated and more convincing, the malicious payloads attached to them will become more multi-functional and complex, and the impact on individuals and critical infrastructure systems will increase in frequency and severity.”
IT and security executives need to get up to speed as quickly as possible on the cybersecurity threats of fake news, or they might face the prospect of having their own organizations become victims of related attacks.
One thing organizations can do is continuously monitor fake news sites to look for potential hazards. This can be labor intensive, so any analytical tools would be helpful. Many companies are already using technology tools to monitor security threats, and those same resources might be helpful in detecting threats related to fake news. If internal staffing is tight, it might make sense to hire help from outside to address the issue of fake news security threats.
Perhaps even more important, executives need to educate employees about the possible dangers of fake news. Just as organizations have had to teach people not to open unknown email attachments or fall victim to phishing attacks, they need to hammer home the idea that clicking on fake news stories or associated content can lead to security breaches that can expose personal and company data.
Along with education, companies need to create and enforce policies regarding the use and spreading of fake news within the organization. While many workers today use their own personal devices for work, that doesn’t mean they should put corporate data and systems at risk by clicking on questionable links tie to fake news.
By taking these steps, IT and security leaders can do their part to avoid or minimize the damage from fake news to their organizations.