Fake News Is A Real Cybesecurity Risk

Uploaded on 2018-07-13 in TECHNOLOGY-Key Areas-Social Media, NEWS-Cybersecurity News, FREE TO VIEW

From fake outlandish crime stories to the reporting of fake stories tied to real events and suspected government manipulation, there was so much fake news in 2017 that the Collins Dictionary made this term their Word of the Year, and this is NOT fake. 

But the viral nature of fake news headlines and hoaxes does more than spread misinformation and cause confusion, it presents extensive cyber-security risks that are not making the news.

Advanced fake news spreads using a global network of hoax websites. Attackers can amplify their content and messages using social media, clickbait and advertising. 

Furthermore, access to data and analytics on content performance and visitor demographics ensures they are able to accurately target and hone the virality of their messages. 

Here’s a simple and tasty example to show how this works.
In September 2017 a story was released just in time for Halloween with the title, “World’s most popular candy to be removed from shelves by October 2017.” The story was published on breakingnews247.net, and was instantly shared almost 70,000 times across social media channels. 

The story was even starting to appear on local news and health food websites. Although the story was fabricated and had no ramifications other than causing a handful of individuals to panic and load up on Reese’s Pieces, the potential impacts go much further. 

With so much data in the hands of a hoax site owner and the ability to rapidly spread content, it would be easy to pivot to more nefarious activities like spreading malware.

The risk of sharing a sensational story is not so obvious, after all, it’s only news, right? But fake news stories are hosted on websites that, although they may look harmless to visitors, actually have the ability to hide malware in plain sight by concealing malicious code inside its content. 

This practice is called steganography. In 2016, an exploit kit named Stegano was discovered that uses steganography to hide malware inside images that are hosted on remote webservers and delivered as ads. Stegano is built with the intelligence to disable antivirus protections in place and can be modified to deliver a damaging payload, such as ransomware, to initiate an effective targeted attack. Let’s apply this to fake news: a fake news story is created and shared with a sensational image that contains malware. The story can then be targeted based on social platform, domain name and/or region to reach a susceptible audience that ensures amplification. 

A user sees the story, clicks to read and shares, immediately becoming infected in the process and further spreading the malicious content to their social networks. While we have yet to see fake news become a primary weapon for attackers, it’s only a matter of time. In the next year or so, it’s likely that mass socially engineered attacks will become a key tactic for modern hackers or activist groups, with fake news being a weapon of choice. 

We need to be thinking now about ways to not only reduce the risk imposed by fake news, but also educate people to better identify these threats. So, how can we do this?

● Establish user awareness. Fake news spreads because people naturally want to share information with their social networks. Before sharing a link, always take time to review it – often the URL will be extremely similar to the real site, but with tiny differences. 
An example of this is the “share to get free stuff” social media scam. At a glance it looks identical, but the shared link has added characters. A quick review could prevent the unnecessary spread of fake information.

● Utilise profiling services. To keep ahead of targeted campaigns, a number of security companies now offer profiling services that monitor the internet for possible targeting, website hijacking or spoofed company domain names.

● Secure and monitor the entire network. Make sure that you have the right security in place to protect the network and ensure that corporate data remains safe. Installing the latest endpoint security solution and keeping it up-to-date will reduce the risk of any malware being able to infect devices. Also, monitor the network to spot anomalous traffic as early as possible. This prevents malware from contacting C&C servers to activate and also reduces the risk of data leaving the network.

● Stay ahead with machine learning and automation. Once a fake news site has been recognised, it can be instantly blacklisted with updated policies pushed out to all devices automatically. In addition, the benefit of a cloud-based solution means that everyone subscribed to the service will be aware of, and protected against, the threat in near real-time.

While awareness is key and technology is a great assistant, there is one simple practice we can all adopt: think before you click or share. If it seems too good to be true, then it probably is.

It’s quite possible that the news story you’re about to share could be part of something much more damaging.

Security Week

You Might Also Read:

Spies Hack Journalism:

On Twitter Fake News Gets More Traction Than Truth:
 

 

« Are Women Better At Cyber Security?
Breakthrough Technologies To Combat Insider Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Oneconsult

Oneconsult

Oneconsult provides cyber security services focusing on penetration tests / ethical hacking, ISO 27001 security audits and incident response & IT forensics.

Cyber Army Indonesia (CyberArmyID)

Cyber Army Indonesia (CyberArmyID)

Cyber Army Indonesia (CyberArmyID) is the first platform in Indonesia to collect and validate reports from hackers (referred to as Bug Hunter) regarding vulnerabilities that exist in an organization.

S4x Events

S4x Events

S4x are the most advanced and largest ICS cyber security events in the world.

24By7Security

24By7Security

24By7Security are Cybersecurity & Compliance Specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

NanoVMs

NanoVMs

NanoVMs is the industry's only unikernel platform available today. NanoVMs runs your applications as secure, isolated virtual machines faster than bare metal installs.

SecZetta

SecZetta

SecZetta provides third-party identity risk solutions that are easy to use, and purpose built to help organizations execute risk-based identity access and lifecycle strategies.

Adarma Security

Adarma Security

Adarma are specialists in threat management including SOC design, build & operation.

Cloud Range

Cloud Range

Cloud Range provides cybersecurity teams with access to the world's leading cyber range platform, eliminating the need to invest in costly cyber range infrastructure.

Creative Destruction Lab (CDL)

Creative Destruction Lab (CDL)

Creative Destruction Lab is a nonprofit organization that delivers an objectives-based program for massively scalable, seed-stage, science- and technology-based companies.

FTx Identity

FTx Identity

FTx Identity is the world's most advanced age verification technology (AVT) and identity management system.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

Zenzero

Zenzero

Zenzero simplifies technology adoption and supports our customers through managed and outsourced IT support.

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.

Ronet Cyber Security

Ronet Cyber Security

Ronet Cyber Security offers crypto forensics services for regulators, law enforcement, companies and individuals to ensure that your transactions are safe and secure.

M6iT Consulting

M6iT Consulting

M6iT Consulting is an industry-leading solution partner managing the IT requirements for a full range of companies.

Syteca

Syteca

Syteca is specifically designed to secure organizations against threats caused by insiders. It provides full visibility and control over internal risks.