There’s a reason why companies have so much trouble keeping up with cyber attackers. Every time you think your new security appliance is the perfect defense, attackers change things up to stay one step ahead.
And now, the bad guys are taking advantage of fake news, getting you to click on infected links and launch malvertising campaigns.
Don’t lose hope! Be aware, be alert—and most importantly, be ready to respond to attacks!
The Proliferation of Fake News
Social media has become the primary source of news for so many people. This might fit into today’s digital demands, but it also opens the door for cyber criminals to show off their social engineering skills and launch new types of attacks.
Especially in the wake of this past election season, fake news has become a mainstream problem. Even Google and Facebook have started to address the problem as fake news sites leverage the low barriers to entry for their ad networks.
Some ways that fake news is becoming a problem for users include:
- Fake news as direct attacks on people, policies, businesses, etc.
- Scare tactics that cause stock crashes—especially for gold and silver markets
- Exaggerated false stories that lead to malicious links (just look at attacks through fake celebrity death stories)
- Click bait that redirects to advertising schemes
These social attacks typically come in the form of malvertising (malicious advertising).
The Growing Malvertising Problem
Malvertising is a type of attack in which hackers leverage online ad networks to inject websites with malware-infused advertisements. This is different than a basic phishing campaign where attackers want to trick you into clicking a malicious link.
Instead, attackers want to infect a website with legitimate traffic and spread their malware at scale. We might think about fake news as illegitimate—but that’s the problem. Fake news sites have built real audiences through scare tactics and exaggerated stories that people believe. When these people have been tricked into visiting fake news sites, attackers can strike and deliver threats.
That being said, malvertising isn’t just a fake news problem. Big media companies like Yahoo!, The New York Times, BBC and more have all been hit by malvertising campaigns. How are we letting this happen?
According to Malwarebytes Labs, the problem is that attackers can sign up for ad networks and lace their advertisements with invisible web elements that force drive-by downloads of malware when you visit a website. Sure, this could happen to any website. But you’re more likely to run into it if you’re on a fake news site!
What to Do If You’re Been Hit by Malvertising
With so many problems arising with fake news, there has been a boom in lists of fake news websites. Whether it’s Wikipedia’s list, the great “False, Misleading, Clickbait-y, and Satirical ‘News’ Sources” list, or another collection, you have plenty of help to identify fake news sources.
But even if you avoid these sites, browse safely online, and avoid malicious links, malvertising is passive to the point that you can still be infected. There are steps you can take to be better-protected, but you have to be prepared to respond just in case!
One important note about malvertising—it’s simply a vehicle to deliver malware that targets your machine’s vulnerabilities. So you can’t just focus on stopping malvertising infections. You have to know how to remove the malware it delivers.
Research shows that 70% of malvertising campaigns deliver ransomware as a payload. What you really need is a plan to respond to growing ransomware threats.
Ransomware: Hostage Rescue Manual, you can learn to survive a ransomware scare from a malvertising campaign.
There’s no doubt that malvertising and fake news are growing, formidable challenges. If you are managing a corporate network, one of the keys to security is to ensure visibility for your network traffic and in-line appliances.
If you want to learn more about guaranteeing visibility with the right security architecture, download this free white paper, Managing the Edge of the Network: A New Necessity for Security Architects.