When the story broke a week before the election about Macedonian teenagers creating fake pro-Trump news stories in order to harvest ad clicks, it triggered a serious feeling of déjà vu among those who work in cybersecurity.
Scrappy bands of shady Eastern Europeans entrepreneurs taking advantages of weaknesses in our tech infrastructure to make a buck, and maybe fulfill sinister more designs? The debate over fake news is roiling the political world, but elements of it look very familiar to tech veterans—and represent a potentially new attack vector that IT needs to worry about.
Greg Mancusi-Ungaro, CMO at BrandProtect, emphasizes that false and misleading information online can affect your company and should definitely be on the radar of IT security. "It's likely that fake news wasn't even a security or IT concern until recently," he says. "It has long been the domain of the investor relations or the marketing or PR departments. But that needs to change. Security needs to adjust. Realistically, security or IT are the only teams in the company who have the expertise and the mindset to deal with real time attacks."
Chris Ensey, COO of Dunbar Security Solutions, traces the origins of the fake news phenomenon to an environment IT security is well familiar with. The explosion of WordPress-powered blogging sites in the early-to-mid '00s, driven partly by earnest bloggers but often by get-rich-quick schemes to harvest ad clicks or spread malware, created an internet that was, as he put it, "riddled with content with varying levels of legitimacy."
Fake news turns out to be just another malicious payload delivered by an ecosystem that's already developed all sorts of tradecraft for doing just that.
True to this origin story, fake news has an underreported role to play in phishing scams. Users are mostly trained to understand that a "too good to be true" email about a Nigerian fortune shouldn't be clicked on—but what about a story saying that a political candidate you hate is going to jail?
[ SPEAKING OF NIGERIAN SCAMS: Remain paranoid, err vigilant, with online security in 2017 ]
"These additional security exposures greatly increase the risk of employees being compromised," says Scott Carlson, technical fellow at BeyondTrust. "Because they're the one searching, they often forget that links they find are equally as dangerous as links they are sent via email. Taking the standard preventative measures to remove administrative rights from the endpoint and increase awareness at the layer of proxy control for employees are two ways in which you can reduce the risk internally."
Fake news should also be familiar to security pros under other guises. For instance, Kasey Cross, director of product management at LightCyber, notes that that "penny stock traders have used fake news for years to drive up—or damage—stock prices," giving the example of a shell company called ABM Capital falsely claiming it was acquiring FitBit.
This kind of organized rumormongering doesn't just help those looking to benefit from short-term stock spikes. "Spreading a rumor can force an official comment on sensitive issues," says Douglas Boemker, a counterintelligence specialist who is the CEO of Macrotec Security. "And false information can poison the well on deals."
Douglas Boemker, CEO of Macrotec Security
When it comes to the stopping the spread of false information, IT security has something of an advantage over those grappling with the issue in the media at large, says Boemker. "Organizations should have established lines of communication, and they can quickly reach out to employees to clear up confusion," he says. "Since people within an organization tend to know where they can obtain reliable sources of information, any skillful handling of company communications, internal or public relations, goes a long way."
Holding back the tide
Controlling the flow of fake information outside the company is a more formidable task, though. "Security must extend their protective monitoring to include external activity that can arise literally anywhere on the internet—Twitter, Facebook, LinkedIn, citizen-journalism aggregators, video sites, fringe news outlets, blogs, article comments, and thousands of other sites," says BrandProtect's Mancusi-Ungaro.
"It is an immense task. But it must be done. Companies that have the resources should build out their monitoring teams to include these requirements. This will involve hiring a team of engineers and threat analysts, and building the tools and processes to conduct the monitoring. Companies that don't have the resources should engage with a growing group of expert services providers that deliver external threat monitoring services on a 24/7/365 basis."
The tech tools offered to protect companies could also be applied to the fake news problem at large, says Dunbar's Ensey. "There are companies with products and services that mine social media networks to identify malicious links that are being posted with the hopes that they can compromise different users," he says.
"I think you'll probably start to see some of these tools turn their analysis towards reputation and information about the site. They'll use content inspection to see if it's something that's been reposted in many different places in many different ways. There are scoring systems that can be built on top of existing social media cybersecurity technologies that can be adapted to that fake news media."
But Dunbar's Ensey explains how programmatic tools can look below the surface to spot the scam. "You can look at the history of the domain," he says. "If this URL's been hosted on 40 different IP addresses in the last six months, that's a pretty big indicator that there might be something a little fishy. I think you can make the argument that for sites that haven't been online very long, that don't score well with Alexa or other ranking engines, there should be some means of marking this in an automated fashion, just like the security lock on your browser URL."
If it makes you feel any better, if you're reading this article, you probably don't fall for many fake news scams. "I would argue that fake news has had less of an impact on the security industry than society as a whole," says John Dickson, principal of Denim Group. "Most security folks are skeptical bunch. They are always on watch for inbound phishing and social engineering campaigns, and thus are probably bigger doubters than the average reader.
"Also, most of them get their regular feeds from trusted sources—bloggers, industry writers that cover security, and colleagues in the security industry. They're less likely to go down a rabbit hole of fake news from their Facebook feed or sketchy sources they do not trust."
So if you're worried about your own susceptibility to fake news, put yourself in that skeptical mindset—and tell your friends to do the same.