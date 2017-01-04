Regardless of your partisan persuasion, your opinion of mainstream media or your opinion of the ‘alt-right,’ one thing is for certain, ‘fake news’ is ‘old news’ when it comes to the weaponization of information by nation states and cyber mercenaries. Cyber adversaries tailor spear phishing and malvertising lures to stimulate cyber-hygienically inept users’ insatiable need to ‘click’ on everything and anything that momentarily ensnares their attention. Lures range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target’s LinkedIn profile, to typo-filled mass-spam; however, the focus of every social engineering campaign is to entice a target demographic of users to share information, to open an email, to download an attachment, to visit a watering-hole site, etc. For cyber adversaries, social engineering campaigns are low risk, high probability of success, low investment, and high reward. Since the attacker only needs one user, out of hundreds or thousands of potential targets within an organization, to respond to the lure, social engineering remains the dominant attack vector used by sophisticated and unsophisticated cyber adversaries alike. In this manner, a single click can deliver a devastating malicious payload that will haunt an organization for years to come.

Advanced Persistent Threat (APT) groups are sophisticated adversaries with access to significant resources that are capable of launching sustained dedicated attack campaigns. APTs have been a prevalent category of cyber-adversary since at least the early 2000s; however, the widespread analysis of APTs did not become prevalent until around 2014, and mainstream media did not discuss APTs until after the late 2014 hack of Sony Pictures [1].

Social engineering campaigns require interaction with the victim and depend on tempting the target to neglect cyber-hygiene best practices. These attack vectors, which include spear-phishing emails, watering-hole sites, malvertising, etc., aim for the target to either communicate sensitive information via interaction with the adversary or their malware, or via the download and execution of a malicious payload that installs malware on the victim system and establishes a beachhead that the adversary can leverage to laterally move throughout the organizational network and thereby compromise additional systems. Adversaries prefer social engineering campaigns that require the lowest investment of time, attention, and other resources; as a result, attack vectors that utilize un-cyber-hygienic user activities to automatically install malware onto victim systems are typically favored over attack vectors that require the constant attention of the attackers. APTs, cybercriminals, and other cyber threat actors (such as the sample described below) often bait their social engineering lures with news and fake news, which is tailored to their target demographic because news and current events articles are relevant to the widest victim pool across the most sectors. Further, a lure based around real or fake news has a significant chance of undermining targets’ mental defenses and cyber-hygiene training.