SmarterMSP has highlighted the recent danger of malware and ransomware coming into email boxes tied to news of the day. An example might be an email appeal for funds related to post-election legal action or rebuilding after California’s wildfires. Other malware waves have arrived in people’s boxes in 2020 tied to COVID-19, hurricane relief, and other headline news.
MSPs have a whole arsenal of tools like web filtering, that they can utilize to prevent people from unwittingly clicking on heavily socially-engineered emails containing dangerous attachments. But there’s another more vexing problem: fake news sites.
We aren’t talking about “fake news” in the context of political dialog. No, these are legitimate-looking news sites that are genuinely fake, run by criminal gangs or state sponsors, who are using these sites for a variety of ill-intent.
The cybersecurity dangers of “fake news”
Here’s how it goes: A headline arrives in someone’s email box with something like this:
Georgia headed for a recount
There’s no suspicious attachment. The hackers have “cased” the victim’s social media and other online accounts and know that they are interested in the Georgia aspect of the Presidential race.
“And this is where things can go off the rails if you aren’t careful, and hackers know that,” says Adam Williams, independent journalism IT specialist in Memphis.
Williams told SmarterMSP the victim will get drawn in and click over to the site that appears to be a legitimate news site.
Cyberscoop then describes what happens next:
When targets land on the sites, they are presented with information intended to trick them into thinking the content on the site is trustworthy, such as custom logos and slogans that urge users to believe the fake site is “reliable” news.
What adds to the ruse’s effectiveness is that some of the news on the site is legitimate, harmless news reporting, which lulls the visitors deeper into complacency.
Some of the harm from such sites is purely self-inflicted, for example the lure of a phony Bitcoin investment scheme. Such a scheme was discovered earlier this summer:
The page sends this data when redirecting the victim to a fake news website tailored to look like a legitimate news site. The scammers even fake different news properties depending on the victim’s location. UK residents are taken to a spoofed page from the Daily Mirror, for example.
The fake news story describes the cryptocurrency investment scheme, misleading the victim by attaching a celebrity to the story and claiming that they had made lots of money with it. All links in the article would take the victim to a site for the investment fraud.
Someone losing money might not hurt the company directly, and while it isn’t a network issue it still could become an organizational liability. An employee could say that an employer didn’t do enough to protect its employees from a harmful email.
Other fake news sites can be used to unleash malware on a network, steal passwords, log key-strokes, and make money for a criminal enterprise by providing “clicks” that drive up ad revenue on fake web pages.
A predicament for MSPs
Until recently, the problem of “fake news” websites was an easy one to solve — simply advise people to stick with legacy news sites and avoid unknowns. Now, however, doing that can pull MSPs unwittingly into the political fray. As information choices diversify and fragment, MSPs don’t want to be in the business of telling people what news sites they can and can’t’ visit, so it gets thorny.
What is a legitimate news site? The question has a million answers. And simply blocking some sites isn’t all that effective because new ones are a dime a dozen to create.
“There has to be some acknowledgment of the reality that during significant news cycles, many people will want to glance at the news quickly during the day. In another era, people would have glanced at a newspaper, and that was that,” Williams says. The newspaper didn’t pose an existential threat to the company, he adds, but a payload packed news website can. Simply visiting the wrong one can unwittingly unleash a cyber disaster on the company.
“I’d be tempted to institute a company-wide policy of viewing news sites only one’s personal device,” Williams advises.
Merely instituting a policy won’t eliminate the problem any more than putting up a “road closed” sign keeps every person from driving on the road. However, it does reduce risk by reducing traffic.
So the best advice for MSPs is to stay out of the business of policing what news sites can be visited and instead of focus on targeted filtering, education and trying to push the news onto peoples’ personal devices where any consequences are more contained and self-inflicted.
Photo: Kaspars Grinvalds / Shutterstock