By Steve King, LifeZette:
Hackers use sensationalized click bait to hit unsuspecting users with malware
A large, looming, and largely unrecognized risk from fake news is not the political impact of stories unfounded in reality or un-supported by fact — instead, it’s the impact a fake news story has as an attack vector for phishing campaigns. Fake news provides another way into your personal, private, and sensitive information.
Almost everyone understands now that there is no Nigerian prince seeking to transfer tens of millions into your checking account, but what of a “news” story that claims a political candidate you hate has committed a crime? Would you click on that?
The recent weaponization of news, often attributed to Russian intelligence services, plays on our obsession to follow and click on news stories that support our point of view. Sensational headlines are a compelling form of click-bait that entice even the most paranoid observers to dive into some apparent evidence that their hatred for let’s say, President Donald Trump, is indeed well-founded.
There are several effective ways to get there. A cyber-manipulator can compromise a legitimate news outlet and transform it into a watering-hole full of malicious links or they can purchase inexpensive banner ad space on a legitimate site and capture user clicks there. The trick is to be sensational yet nuanced. Sort of like The New York Times.
But the danger goes beyond your own private information. A fake news story is not asking you for your bank account. Modern malware is persistent and polymorphous. It can easily bypass perimeter defenses, filters, and end-point detection. Its whole purpose is to penetrate and set up camp somewhere inside your network so that it can do the same thing inside your company’s network when you log on there.
The fake news story that you click on using your iPhone during your morning commute will become a network infection within your organization by lunchtime. You won’t know it nor will your network administrators. But, after you log on to your network with your iPhone, it will be there.
Malware is insidious. It needs neither a file nor a document to act as host. Once in place, it begins scanning and monitoring your network for vulnerabilities. It looks in operating systems, applications, files, hardware, and the cloud. It catalogs the vulnerabilities it finds and sends that list back to its command and control center. Most people these days think this is located in Russia or Iran or China. But, it could just as easily be two teenagers in Scranton.
The command and control center figures out which vulnerabilities it wants to attack and then sends instructions to the malware to begin gathering data and to prepare for exfiltration. This may occur over days, hours, weeks, or months. But you won’t know it is happening. Your network specialists and security analysts will most likely not know it is happening either. Without advanced behavioral analytics, which very few people are using, today’s malware is almost impossible to detect.
And just think, a simple click on a news story that appears to run in The New York Times Online edition started the whole thing.
We live in a full-on 24/7 assault environment where we are constantly bombarded with news, fake news, advertising, marketing theater, digital entertainment and information of all varieties. No matter how diligent we are, it is almost impossible to avoid a tawdry click, a gut reaction to an offensive headline, or a visceral response to a story that proves our point. Clicks will happen.
The current debate over fake news and the adversarial use of news by extremist groups on the far Right and Left actually distracts from the reality that weaponized information is being used to deliver malicious code into networks of all sizes and varieties. That malware will allow global attack networks to penetrate critical U.S. infrastructure, steal intellectual property, impose disruptions like the Internet outage last October and more lethally cripple physical distribution components on which we rely for power, water and transportation.
The proliferation of weaponized information has broad implications as a true existential threat that goes beyond political systems and seats of power.
These slopes have momentum of their own and right now, the bad guys are winning at a remarkable rate. The Trump administration needs to take immediate and bold steps to undermine these cyberattackers, impose cybersecurity mandates across all government agencies, empower smart people to move swiftly toward advanced offensive and defensive weaponry so that we can aggressively tilt the playing field back in our favor before we run out of runway all together.
Steve King is the COO and CTO of Netswitch Technology Management.
Read related content at LifeZette.
Paul: ‘Obamacare Lite’ Will Divide GOP
Yes, Jimmy Buffett ‘Retires’ — His Way
