2016 Elections Project Update: On Monday, just before the Super Tuesday Democratic Primaries, this "NY Times" article made the rounds on social media:
It wasn't legitimate. And it wasn't a parody. It was a fraud, pure and simple.
News of this fake article exploded on Monday, sending the NY Times and many other news organizations scrambling to disavow the article and have it removed from the web. Within a few hours, it was gone. But the damage may have already been done - the article was shared over 50K times, including 15K Facebook shares. It was probably viewed by hundreds of thousands of people across all kinds of social channels. Enough to swing an election? Possibly!
Cyber Criminals are more and more sophisticated. This fake article is just one example of how carefully and accurately cyber attackers mimic legitimate businesses. Notice the typefaces, the layout, the writing style, the surrounding details (note the topical Chris Christie mention above the photo) they all combine to create a dead-on imitation of the actual NY TImes style.
But there is something else about this attack that is crucial...
...it never crossed any security perimeter. The article "appeared" online, and was promoted, broadcast and rebroadcast by innocent third parties. The CISO at the NY TImes never saw this article touch their security perimeter. Neither did the offices of Elizabeth Warren, or candidate Bernie Sanders. This fake article leveraged the public trust in the NY Times, and for a few hours on Monday morning, turned the political world upside down.
Phishing emails, copycat websites, rogue mobile apps are just as sophisticated. It takes a practiced eye to spot sophisticated fakery. Not only that, you have to be looking for it. CISOs should view this incident as much more than an example of a political dirty trick. Instead it is a very public example of the things that can happen to your business across social channels and domains.
Imagine would happens to a pharmaceutical company's stock price if a fake news item about FDA approval (or rejection) hits the street. Or an item or post about a manufacturer's hiring practice? A faked document about a possible merger or acquisition? Or a tweet about an executives private life. Misinformation or disinformation attacks like these can spread at the speed of the Internet, gathering legitimacy through ubiquity.
The bad guys know this, they don't create these kinds of attacks for fun - they do it to profit on the chaos that follows.
To mininize your exposure to this kind of cyber attack, all security operations teams should be investing in comprehensive social risk monitoring. CISOs, take notice: though the attacks may never touch your security perimeter, they can devastate your business. It has never been more important to have visibility beyond the perimeter.