Fake news is the deliberate distribution of lies with the goal of swaying public opinion or dividing people. It has gotten the attention of information security professionals because it's difficult to identify and block — and because it helps spread malware.
“Fake news factories have engaged in operations to influence many citizens whether it is for marketing purposes, purchasing decisions, political instability, or just a misdirection to the real intention,” says Joseph Carson, chief security scientist at password management company Thycotic. “Social media and online services have been the primary victims as the users are now being fed with continuous feeds of information with no way to determine the authenticity of the source or whether is it trustworthy.”
How fake news delivers malware
Another problem is that fake news often has a secondary purpose. Scott Nelson, vice president at security training company SecureSet, says fake news is the latest attack vector for social engineering and hacking activity. Similar to a phishing attack, many variables are at play. Not every questionable link on Facebook is considered fake, and automated detection tools are not quite able to identify every story that’s suspicious or outright false.
“The introduction of malware embedded in images, links and downloads of the fake news story, email or social media site should be of increasing concern to organizations,” says Nelson. “These tactics are no longer the sole space of criminal organizations or spammers but are now used by nation states to attack or spread propaganda, compromise systems, inflict physical damage, or conduct espionage.”
Nelson says the enterprise is blissfully unaware of how much fake news behaves like malware (and often carries the same payload intended to harm users). That’s why hackers have taken advantage of this “look the other way” approach to classifying the fake news. “Organizations should be concerned that unsuspecting employees are falling prey to these new tailored campaigns [that spread] their political ideas or gossip,” he says.
What to do about the fake news threat
Hamid Karimi, vice president of business development at BeyondSecurity, says that fake news is often difficult to quantify or analyze, but the process of detecting the malware hasn’t changed. Sites that distribute fake news often distribute malware as well, he says, so companies need to classify them as such. Often, the intent is to hijack user accounts, spread the malware, and cause other problems in the same way a phishing attack might work.
“CIOs and CISOs must be concerned with fake news in the sense that such cases typically indicate the presence of malware, not the other way around,” says Karimi. “If users in their communications with others reference sites with malware payloads, this is clearly of significant concern to all security professionals.”
Isabelle Dumont, vice president at cloud security firm Lacework, says that companies might not need to worry about the overall pollution caused by fake news — it’s an impossible task to eradicate it — but they can start controlling their cloud infrastructures, looking for hijacks and other attacks that distribute the malware associated with the fake news.
Twitter is often the primary method to spread fake news (and therefore the associated malware). Karimi says hackers use a method called a DoubleSwitch, where they take over an account, propagate the fake news links, and cause other accounts to spread the links even further — all leading to more malware infections. Stopping the delivery of fake news through Twitter (or other social media) is a tedious and difficult, because so many fake accounts are on Twitter.
Carson says the primary concern right now is that companies are mostly ignoring fake news propagation as a tip-off. Some companies are attempting to block the activity using algorithms and some human intervention, but it’s not enough.
While using fake news to deliver malware through social media is new, the methods for identifying and blocking the malware is similar to what you would do for phishing attacks: recognize and report incidents, let the security response team investigate, and resolve any networking issues that allowed the malware.
Carson notes that the response should be immediate and thorough, because the window of opportunity for shutting down malware is small, especially if there is a known fake news ploy on social media and employees are susceptible to it. “Many companies have corporate IT policies that define acceptable use, password policies, rules and in some cases, incident response procedures,” says Carson. “Every employee should be familiar with these procedures because rapid responses tend to reduce problems or damage from the incident.”