Scam Of The Week - Fake News: a Content-based Social Engineering Attack

Facebook, Google, and Twitter have recently been facing scrutiny for promoting fake news stories. Depending on your sources and who you believe, fake news played and is still playing a role in the 2016 presidential election.

However, fake news is misused in a number of ways, especially in an election season, and we have seen plenty of examples in the last few weeks:

Propaganda, trying to influence opinion like RT.COM
Direct attacks on a political opponent
Stock manipulation scams
Shock people into clicking and infect their machine with malware (celebrity deaths)
Sell advertising

Fake news and its malicious cousin "malvertising" are some of the most hard-to-spot types of social engineering attacks facing employees of both non-profits and for-profits.

“Fake news” can originate practically anywhere on the Internet through tweets, posts, digital images, video, and/or so-called "citizen journalist" sites where people can directly publish their content without fact-checking or any other kind of content-curation. And then there are the sites pretending to be legit news organizations but dedicated to only fake news. Here are a few examples:

Bipartisan Report
PoliticusUSA
USUncut
The Freethought Project
Politicalo / Newslo
DailyNewsBin
American News X
The Other 98%

This type of site is the most damaging. Their content is not monitored, un-curated, not fact-checked and can create a raft of problems for both the people who fall for that type of social engineering and the enterprise that is being targeted. A recent example is FitBit that saw its stock jump and then crash because of a fake news stock manipulation scheme.

In another variation of a fake news attack, scammers launch stories announcing the untimely death or injury of a key corporate executive or celebrity. A big one on the enterprise side was in 2009, when the CNN iReport site posted news that AT&T CEO Randall Stephenson was "found dead in his multimillion dollar beachfront mansion" under questionable circumstances. Recent fake news that Brad Pitt had committed suicide is fresh in memory.

In cases like stock scams, trading of these shares stops quickly, but the damage to the attacked company, and key partners and suppliers is done and the bad guys have gotten their ill-gotten gains. Fake news about M&A activity, clinical trials, product announcements, plant closings, earnings, executive appointment, product delays, partnerships, or headcount reductions might take only minutes to debunk, but can impact revenues, operations and business reputations for weeks.

Realistically, the only team in any organization who can deal with this type of attack is the security department but few organizations actively monitor for and defend against false news. It's a good idea to conduct an external threat audit across all threat sources, not just social networks, blog sites, wikis, discussion forums, and video sites, but also mobile app stores, online marketplaces, and domains. Organizations like BrandProtect and PhishLabs are a good place to start for a quote.

What To Do About It

How do you train your employees about this risk? It's one of the most pernicious social engineering attacks out there. Here is some suggested copy you can cut / paste / edit and send to your employees, friends, and family:

Facebook, Google, and Twitter have recently been accused of promoting fake news stories. Depending on your sources and who you believe, fake news played a role in the 2016 presidential election. However, fake news is misused in a number of ways:

Propaganda trying to influence opinion

Direct attacks on a political opponent

Stock manipulation scams

Shock people into clicking and infect their machine with malware (celebrity deaths)

Sell advertising

So, how do you protect yourself against this type of scam? The very first thing you need to do with any kind of internet message you see is this: CONSIDER THE SOURCE. Meaning you ask yourself the following questions: Where did this come from? Who wrote it? What is their agenda?

There are a large number of false, misleading, clickbait, and/or satirical “news” sources you need to watch out for. Here are 8 Tips to analyze news sources and make sure you do not fall for their scams:

Avoid websites that end in “lo”, for example Newslo. These sites take pieces of accurate information and then packaging that information with other false or misleading “facts”.

Watch out for websites that end in “.com.co” as they are often fake versions of real news sources, and strange or unusual domain names are a big Red Flag.

If other known and reputable news sites are not also reporting on the story, that is a Red Flag.

If it is an anonymous story and there is no known / trusted author, it's suspect.

Some news organizations are letting bloggers post under their banner, but many of these posts are opinion and not facts, make sure you note the difference. (ex: BuzzFeed, Forbes blogs).

If you are in doubt because of bad design or grammar/spelling, check their “About Us” tab or look them up on Snopes for verification of that source.

If the story makes you upset or angry, it’s a good idea to keep reading about the topic using other sources to make sure the author wasn’t doing that on purpose (with potentially misleading or false information) to generate shares and ad revenue.

It’s always best to read multiple sources of information to get a variety of viewpoints and perspectives, which allows you to spot bias in reporting and confirm information with other sources before you decide to take action.

To summarize, consider the source, double check if the data is correct using other reliable sources, and especially with "fake news"... Think Before You Click!