Fake News Is Exposing You to Malware!

Gavin Phillips 13-02-2017

Fake news. This loaded term framed the opening months of 2017. It is going to be a prominent feature of the next four years. And despite the danger in peddling such a line, it is becoming an all-too-common feature of our daily news intake.


Fake news isn’t just spreading an alternative truth. Sites delivering fake news also serve up something more immediately dangerous (depending on who you ask): malware.

Is the risk posed by fake news peddlers real? Or is the risk only as real as the fake news?

Why Is There a Problem?

Malware is always in the news. Specifically, ransomware has become a plague upon everyone: home users, business, charities, government organizations, hospitals, you name it and they’ve likely paid a ransom Don't Pay Up - How To Beat Ransomware! Just imagine if someone showed up on your doorstep and said, "Hey, there's mice in your house that you didn't know about. Give us $100 and we'll get rid of them." This is the Ransomware... Read More .

At the same time, mainstream media (MSM) has become a focal point for disillusionment. Perception of MSM is usually tied to a political view, and the trust individuals can afford specific publications. The “fake news” tag is used to decry writing that doesn’t fit with a specific world view. Magnified by years of mistrust and the belief that MSM outlets are merely propaganda tools, people are turning to alternative sources for their daily dose of the news. I must add that this isn’t limited to a single demographic, gender, age, or even country.

A January 2016 study by the Pew Research Center found that 62 percent of U.S. adults get their news through social media, with 18 percent doing so often. The social media site makes a difference, too.


Fake News Is Exposing You to Malware! Pew Research Where Do We Get Our News

The backlash against traditional news sources has seen a seismic shift in exactly where we get our news from. The shift has been a fantastic opportunity for malware purveyors.

The News Is Infectious

We have seen a surge in malware distributed via social media networks under the guise of a news article. The infections have come from a range of sources, too.


For instance, in November 2016, infections rates for the infamous Locky ransomware soared Your New Security Threat for 2016: JavaScript Ransomware Locky ransomware has been worrying security researchers, but since its brief disappearance and return as a cross-platform JavaScript ransomware threat, things have changed. But what can you do to defeat the Locky ransomware? Read More during a Facebook-focused campaign using a new malicious code embedding technique. Attackers found a way to embed malicious code into an image file. Once the image file is uploaded to Facebook, it is shared between thousands of users. The embedded code forces an end-user’s computer to download the file, and automatically infects as soon as it is double-clicked. Security research experts Check Point discovered the attack vector rendered major social networks such as Facebook and LinkedIn vulnerable — however, the vector has since been fixed.

Another example involves the disappearance of Malaysian Airlines flights MH370, and downed-flight MH17. These shocking events were capitalized upon by Naikon, a notorious Asian hacking group. The group used targeted spear phishing New Phishing Techniques To Be Aware of: Vishing and Smishing Vishing and smishing are dangerous new phishing variants. What should you be looking out for? How will you know a vishing or smishing attempt when it arrives? And are you likely to be a target? Read More emails titled with breaking news or new information relating to both incidents. Emails contained attachments loaded with a malicious payload, or directed to a video attachment that installs a remote access Trojan (RAT).

Play on Our Fears

Infected fake news articles usually play on the fears of citizens, like you and I. But that isn’t always the case. Consider a leak containing brand-new images of an upcoming smartphone, or salacious gossip concerning yet another outrageous celebrity. Both can send scores of users looking for the most up to date details on the breaking story. This presents a prime opportunity for malware operators who can move fast. Move quickly, and enough traffic can be captured before alarm bells are ringing.


Traffic can be captured using an exact copy of the most popular news stories. Displaying accurate information lends authenticity to the site, even if the URL is News featuring polarizing or condemning views will be readily consumed as well as widely shared. Consequently, a fake news article can spread around the world before the truth has even got its trousers on. Or in this case, an infection can claim thousands of victims before the site is shut down, or even a warning is produced.

James Scott, Senior Fellow at the Institute for Critical Infrastructure Technology explains:

Cyber adversaries tailor spear phishing and malvertising lures to stimulate cyber-hygienically inept users’ insatiable need to “click” on everything and anything that momentarily ensnares their attention. Lures range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target’s LinkedIn profile, to typo-filled mass-spam; however, the focus of every social engineering campaign is to entice a target demographic of users to share information, to open an email, to download an attachment, to visit a watering-hole site, etc.

All it takes is one unaware user, blindly clicking, to cause significant damage.

Fake News Is Actually Fake Sometimes

Amusingly (or not, I guess), a fake news story hits that sounds so real, so factual, that mainstream media outlets pick it up and report it.


The Washington Post initially ran a story declaring that malicious code closely associated with infamous Russian hacking operation Grizzly Steppe was found “within the system of a Vermont utility Ukraine's Power Grid was Hacked: Could It Happen Here? A recent cyber attack on a Ukranian power grid has demonstrated that our fears were well-founded - hackers can target critical infrastructure, such as power grids. And there's little we can do about it. Read More .” Understandably, this prompted massive security fears at a sensitive time for Homeland security affairs.

This was rapidly followed by a second story walking back on the allegations of Russian interference. By the time a third version of the story was circulating: the internet traffic that raised the supposed red flag may in fact have been harmless. Burlington Electric’s communication director Mike Kanarick said:

It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.

But that wasn’t before Vermont Governor Peter Shumlin stoked the fires of fury by commenting that “Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health and safety.” Not only was it wrong, it showed the glaring issue with misinformation, even amongst top state officials.

Avoiding Fake News Infections

When we get our news through social media, it is much easier for attackers to incorporate their own websites and links into something we will happily click upon. Malware purveyors exploit our need to be up-to-date with breaking news, playing on a false sense of urgency brought upon us by technological immersion.

You don’t have to become a statistic. Here are some ways of avoiding fake news 10 Tips to Avoid (Spreading) Fake News During a Crisis Here's how to avoid fake news and how you can stop spreading fake news on social media. Read More and a potential infection:

  • Choose your sources — Don’t click everything your friends post to social media. Check the reputation of the sites they do post.
  • Wait a little — The news will still be the news in ten minutes, but a major outlet will have more detailed coverage.
  • Consideration — How can a tiny one-person gossip blog with 15 followers break a major news headline? Answer: they can’t.
  • Consider some more — Work outwards from a trusted, major news source. Start with the New York Times or WSJ, and then find other sources. A good starting point is

There are also three Chrome extensions that attempt to cut fake news out of your life Avoid Fake News and Verify the Truth With These 5 Sites and Apps There are plenty of lies floating around on the internet. From extensions that flag notorious fake news outlets to websites that bust hoaxes and myths, here are the five resources you need. Read More :

Victims are predisposed to interact with all news, not just fake. In this, we are all a potential victim, as the real news becomes a weaponized tool for malware distribution 7 Types of Computer Viruses to Watch Out For and What They Do Many types of computer viruses can steal or destroy your data. Here are some of the most common viruses and what they do. Read More .

Do you trust mainstream media? Or is social media your go-to for breaking news? Let us know your thoughts on fake news and malware below!

Image Credit: panuwat phimpha via

Related topics: Fake News, Malware.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. D Mac
    February 13, 2017 at 7:04 pm

    I'd rather take the risk of getting a virus than listen to the lies of the liberal mainstream media.

    • Gavin Phillips
      February 13, 2017 at 7:25 pm

      That's a fair opinion. I would say that the alternative sites are just as likely to lie, albeit to a different agenda. And no site is guaranteed to be free of malicious intent, be that via malvertising or a compromised link. So long as you take precautions, you'll be fine.

      Thanks for reading and commenting.