When the story broke a week before the election about Macedonian teenagers creating fake pro-Trump news stories in order to harvest ad clicks, it triggered a serious feeling of déjà vu among those who work in cybersecurity.
Scrappy bands of shady Eastern Europeans entrepreneurs taking advantages of weaknesses in our tech infrastructure to make a buck, and maybe fulfill sinister more designs? The debate over fake news is roiling the political world, but elements of it look very familiar to tech veterans—and represent a potentially new attack vector that IT needs to worry about.
Greg Mancusi-Ungaro, CMO at BrandProtect, emphasizes that false and misleading information online can affect your company and should definitely be on the radar of IT security. "It's likely that fake news wasn't even a security or IT concern until recently," he says. "It has long been the domain of the investor relations or the marketing or PR departments. But that needs to change. Security needs to adjust. Realistically, security or IT are the only teams in the company who have the expertise and the mindset to deal with real time attacks."
Chris Ensey, COO of Dunbar Security Solutions, traces the origins of the fake news phenomenon to an environment IT security is well familiar with. The explosion of WordPress-powered blogging sites in the early-to-mid '00s, driven partly by earnest bloggers but often by get-rich-quick schemes to harvest ad clicks or spread malware, created an internet that was, as he put it, "riddled with content with varying levels of legitimacy."
Fake news turns out to be just another malicious payload delivered by an ecosystem that's already developed all sorts of tradecraft for doing just that.
True to this origin story, fake news has an underreported role to play in phishing scams. Users are mostly trained to understand that a "too good to be true" email about a Nigerian fortune shouldn't be clicked on—but what about a story saying that a political candidate you hate is going to jail?
"These additional security exposures greatly increase the risk of employees being compromised," says Scott Carlson, technical fellow at BeyondTrust. "Because they're the one searching, they often forget that links they find are equally as dangerous as links they are sent via email. Taking the standard preventative measures to remove administrative rights from the endpoint and increase awareness at the layer of proxy control for employees are two ways in which you can reduce the risk internally."
Fake news should also be familiar to security pros under other guises. For instance, Kasey Cross, director of product management at LightCyber, notes that that "penny stock traders have used fake news for years to drive up—or damage—stock prices," giving the example of a shell company called ABM Capital falsely claiming it was acquiring FitBit.
Sign up for Computerworld eNewsletters.