Fake news. This loaded term framed the opening months of 2017. It is going to be a prominent feature of the next four years. And despite the danger in peddling such a line, it is becoming an all-too-common feature of our daily news intake.

Fake news isn't just spreading an alternative truth. Sites delivering fake news also serve up something more immediately dangerous (depending on who you ask): malware.

Is the risk posed by fake news peddlers real? Or is the risk only as real as the fake news?

Why Is There a Problem?

Malware is always in the news. Specifically, ransomware has become a plague upon everyone: home users, business, charities, government organizations, hospitals, you name it and they've likely paid a ransom.

At the same time, mainstream media (MSM) has become a focal point for disillusionment. Perception of MSM is usually tied to a political view, and the trust individuals can afford specific publications. The "fake news" tag is used to decry writing that doesn't fit with a specific world view. Magnified by years of mistrust and the belief that MSM outlets are merely propaganda tools, people are turning to alternative sources for their daily dose of the news. I must add that this isn't limited to a single demographic, gender, age, or even country.

A January 2016 study by the Pew Research Center found that 62 percent of U.S. adults get their news through social media, with 18 percent doing so often. The social media site makes a difference, too.

The backlash against traditional news sources has seen a seismic shift in exactly where we get our news from. The shift has been a fantastic opportunity for malware purveyors.

The News Is Infectious

We have seen a surge in malware distributed via social media networks under the guise of a news article. The infections have come from a range of sources, too.

For instance, in November 2016, infections rates for the infamous Locky ransomware soared during a Facebook-focused campaign using a new malicious code embedding technique. Attackers found a way to embed malicious code into an image file. Once the image file is uploaded to Facebook, it is shared between thousands of users. The embedded code forces an end-user's computer to download the file, and automatically infects as soon as it is double-clicked. Security research experts Check Point discovered the attack vector rendered major social networks such as Facebook and LinkedIn vulnerable -- however, the vector has since been fixed.

Another example involves the disappearance of Malaysian Airlines flights MH370, and downed-flight MH17. These shocking events were capitalized upon by Naikon, a notorious Asian hacking group. The group used targeted spear phishing emails titled with breaking news or new information relating to both incidents. Emails contained attachments loaded with a malicious payload, or directed to a video attachment that installs a remote access Trojan (RAT).

Play on Our Fears

Infected fake news articles usually play on the fears of citizens, like you and I. But that isn't always the case. Consider a leak containing brand-new images of an upcoming smartphone, or salacious gossip concerning yet another outrageous celebrity. Both can send scores of users looking for the most up to date details on the breaking story. This presents a prime opportunity for malware operators who can move fast. Move quickly, and enough traffic can be captured before alarm bells are ringing.

Traffic can be captured using an exact copy of the most popular news stories. Displaying accurate information lends authenticity to the site, even if the URL is supertopkekbanternewzlels.kp. News featuring polarizing or condemning views will be readily consumed as well as widely shared. Consequently, a fake news article can spread around the world before the truth has even got its trousers on. Or in this case, an infection can claim thousands of victims before the site is shut down, or even a warning is produced.

James Scott, Senior Fellow at the Institute for Critical Infrastructure Technology explains:

Cyber adversaries tailor spear phishing and malvertising lures to stimulate cyber-hygienically inept users' insatiable need to "click" on everything and anything that momentarily ensnares their attention. Lures range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target's LinkedIn profile, to typo-filled mass-spam; however, the focus of every social engineering campaign is to entice a target demographic of users to share information, to open an email, to download an attachment, to visit a watering-hole site, etc.

All it takes is one unaware user, blindly clicking, to cause significant damage.

Fake News Is Actually Fake Sometimes

Amusingly (or not, I guess), a fake news story hits that sounds so real, so factual, that mainstream media outlets pick it up and report it.

The Washington Post initially ran a story declaring that malicious code closely associated with infamous Russian hacking operation Grizzly Steppe was found "within the system of a Vermont utility." Understandably, this prompted massive security fears at a sensitive time for Homeland security affairs.

This was rapidly followed by a second story walking back on the allegations of Russian interference. By the time a third version of the story was circulating: the internet traffic that raised the supposed red flag may in fact have been harmless. Burlington Electric's communication director Mike Kanarick said:

It's unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.

But that wasn't before Vermont Governor Peter Shumlin stoked the fires of fury by commenting that "Vermonters and all Americans should be both alarmed and outraged that one of the world's leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health and safety." Not only was it wrong, it showed the glaring issue with misinformation, even amongst top state officials.

Avoiding Fake News Infections

When we get our news through social media, it is much easier for attackers to incorporate their own websites and links into something we will happily click upon. Malware purveyors exploit our need to be up-to-date with breaking news, playing on a false sense of urgency brought upon us by technological immersion.

You don't have to become a statistic. Here are some ways of avoiding fake news and a potential infection:

  • Choose your sources -- Don't click everything your friends post to social media. Check the reputation of the sites they do post.
  • Wait a little -- The news will still be the news in ten minutes, but a major outlet will have more detailed coverage.
  • Consideration -- How can a tiny one-person gossip blog with 15 followers break a major news headline? Answer: they can't.
  • Consider some more -- Work outwards from a trusted, major news source. Start with the New York Times or WSJ, and then find other sources. A good starting point is AllSides.com.

There are also three Chrome extensions that attempt to cut fake news out of your life:

  • FiB: Stop Living a Lie -- Created during a 36-hour hackathon, this extension plows through your Facebook feed in real-time, verifying links and posts. Also verifies images.
  • S. Detector -- Works similarly to FiB but covers Facebook, Twitter, and other news sites. Slightly faster than FiB, but no image verification.
  • Official Media Bias Check -- Media Bias doesn't scan through your social media streams, but it does help when you land on a news source of ill repute.

Victims are predisposed to interact with all news, not just fake. In this, we are all a potential victim, as the real news becomes a weaponized tool for malware distribution.

Do you trust mainstream media? Or is social media your go-to for breaking news? Let us know your thoughts on fake news and malware below!

Image Credit: panuwat phimpha via Shutterstock.com