Fake News Is A Real Cybesecurity Risk

From fake outlandish crime stories to the reporting of fake stories tied to real events and suspected government manipulation, there was so much fake news in 2017 that the Collins Dictionary made this term their Word of the Year, and this is NOT fake. 

But the viral nature of fake news headlines and hoaxes does more than spread misinformation and cause confusion, it presents extensive cyber-security risks that are not making the news.

Advanced fake news spreads using a global network of hoax websites. Attackers can amplify their content and messages using social media, clickbait and advertising. 

Furthermore, access to data and analytics on content performance and visitor demographics ensures they are able to accurately target and hone the virality of their messages. 

Here’s a simple and tasty example to show how this works.
In September 2017 a story was released just in time for Halloween with the title, “World’s most popular candy to be removed from shelves by October 2017.” The story was published on breakingnews247.net, and was instantly shared almost 70,000 times across social media channels. 

The story was even starting to appear on local news and health food websites. Although the story was fabricated and had no ramifications other than causing a handful of individuals to panic and load up on Reese’s Pieces, the potential impacts go much further. 

With so much data in the hands of a hoax site owner and the ability to rapidly spread content, it would be easy to pivot to more nefarious activities like spreading malware.

The risk of sharing a sensational story is not so obvious, after all, it’s only news, right? But fake news stories are hosted on websites that, although they may look harmless to visitors, actually have the ability to hide malware in plain sight by concealing malicious code inside its content. 

This practice is called steganography. In 2016, an exploit kit named Stegano was discovered that uses steganography to hide malware inside images that are hosted on remote webservers and delivered as ads. Stegano is built with the intelligence to disable antivirus protections in place and can be modified to deliver a damaging payload, such as ransomware, to initiate an effective targeted attack. Let’s apply this to fake news: a fake news story is created and shared with a sensational image that contains malware. The story can then be targeted based on social platform, domain name and/or region to reach a susceptible audience that ensures amplification. 

A user sees the story, clicks to read and shares, immediately becoming infected in the process and further spreading the malicious content to their social networks. While we have yet to see fake news become a primary weapon for attackers, it’s only a matter of time. In the next year or so, it’s likely that mass socially engineered attacks will become a key tactic for modern hackers or activist groups, with fake news being a weapon of choice. 

We need to be thinking now about ways to not only reduce the risk imposed by fake news, but also educate people to better identify these threats. So, how can we do this?

● Establish user awareness. Fake news spreads because people naturally want to share information with their social networks. Before sharing a link, always take time to review it – often the URL will be extremely similar to the real site, but with tiny differences. 
An example of this is the “share to get free stuff” social media scam. At a glance it looks identical, but the shared link has added characters. A quick review could prevent the unnecessary spread of fake information.

● Utilise profiling services. To keep ahead of targeted campaigns, a number of security companies now offer profiling services that monitor the internet for possible targeting, website hijacking or spoofed company domain names.

● Secure and monitor the entire network. Make sure that you have the right security in place to protect the network and ensure that corporate data remains safe. Installing the latest endpoint security solution and keeping it up-to-date will reduce the risk of any malware being able to infect devices. Also, monitor the network to spot anomalous traffic as early as possible. This prevents malware from contacting C&C servers to activate and also reduces the risk of data leaving the network.

● Stay ahead with machine learning and automation. Once a fake news site has been recognised, it can be instantly blacklisted with updated policies pushed out to all devices automatically. In addition, the benefit of a cloud-based solution means that everyone subscribed to the service will be aware of, and protected against, the threat in near real-time.

While awareness is key and technology is a great assistant, there is one simple practice we can all adopt: think before you click or share. If it seems too good to be true, then it probably is.

It’s quite possible that the news story you’re about to share could be part of something much more damaging.

Security Week

You Might Also Read:

Spies Hack Journalism:

On Twitter Fake News Gets More Traction Than Truth:
 

 

« Are Women Better At Cyber Security?
Breakthrough Technologies To Combat Insider Threats »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Purdicom

Purdicom

Purdicom (formerly known as Selcoms) is an award winning distributor specialising in Wireless, Cloud & Security technologies.

CyberSmart

CyberSmart

CyberSmart is a platform that allows you to maintain compliance, achieve certification and secure your organisation.

Cybertekpro

Cybertekpro

Cybertekpro is a specialist insurance broker providing Cyber Liability insurance and cyber risk assessment services.

Identillect Technologies

Identillect Technologies

Identillect Technologies provide a user-friendly secure email solution to protect critical information, with an emphasis on simplicity.

Virsec Systems

Virsec Systems

Virsec detects and remediates previously “indefensible” advanced memory-based attacks on critical applications and server endpoints.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

SoftLock

SoftLock

Softlock is a regional leader in Information Security providing solutions, consulting, integration and testing services to protect information assets, identities and supporting infrastructure.

Jeffer Mangels Butler & Mitchell LLP (JMBM)

Jeffer Mangels Butler & Mitchell LLP (JMBM)

JMBM is a full service law firm providing counseling and litigation services in a wide range of areas including cyber security.

Cyberspace Solarium Commission (CSC)

Cyberspace Solarium Commission (CSC)

The Cyberspace Solarium Commission was established to develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.

CyberRisk Alliance (CRA)

CyberRisk Alliance (CRA)

CyberRisk Alliance is a business intelligence company created to serve the rapidly evolving cybersecurity and information risk management marketplace.

Crosspoint Capital Partners

Crosspoint Capital Partners

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity and privacy sectors.

Deft

Deft

Deft (formerly ServerCentral Turing Group) is a trusted provider of colocation, cloud, and disaster recovery services.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

Vali Cyber

Vali Cyber

Vali Cyber was founded in 2020 with the mission of addressing the specific cybersecurity needs of Linux.

Computer Futures

Computer Futures

Computer Futures are a global specialist IT recruitment partner, matching candidates with roles across niche IT markets and core technologies.

Softcell Technologies Global

Softcell Technologies Global

Softcell is one of India's leading System Integrators. We serve enterprise customers in the areas of IT Security, Mobility, Optimised IT Infrastructure, Cloud and Engineering Services.