Clickbait

They look harmless, and maybe even kinda fascinating.  I’m talking about the little interest stories and quizzes that appear at the bottom of news stories, or sometimes on Facebook.  Sometimes they are called “sponsored content” or something similar, and they usually have captions designed to draw you in.  Maybe it’s “25 hidden secrets about Gilligan’s Island” (am I dating myself?) or a social media quiz about “You’re stranded in the jungle and can only have one movie: which would it be?”  The general term for this kind of online advertising is “Clickbait”, and it is dangerous in at least two ways.

 

Malware

Clickbait advertising is designed to entice you to click often.  That’s why those 25 hidden secrets about Gilligan’s Island are on 25 consecutive screens rather than one list.  Someone is getting paid every time you click.  If the advertisers or site owners are making money on every click, they may not be vetting those ads very closely, and it’s very easier for an attacker to buy an ad and plant malware in it.  As you click through the list of fun facts, that malware could be installed, giving the attacker control of your computer and the information on it.  Remember, although those lists appear on legitimate sites, most of them are really separate from the main website.  So, while CNN or The New York Times may be very careful about the ads they serve up, they will be much less careful about the “sponsored content”.  (We talked about malvertising in last month’s CISO Newsletter.) 



KBA

Some websites still use “knowledge-based authentication (KBA)” as a tool to identify you, or maybe help you reset your password.  If you’ve forgotten your password, they may ask you to provide some fact like your favorite movie or high school mascot.  Attackers can plant  “Stranded on a Desert Island” quizzes on social media, and can quickly learn things that may help them break into lots of people’s accounts.  Since so many people use their email address as a user name, an attacker could attempt to login with your email address to a major financial institution.  If it happens to be the one you bank or invest with, the attacker armed with information about you might be able to reset your password and login.

 

What can you do?

 

  • Resist the urge to click on the “sponsored content” and similar clickbait links. At best they are designed to be time-consuming, and at worst they could carry malware.
  • Similarly, skip the social media surveys.  And the fact that a trusted friend passed it to you doesn’t make it any safer: Your friend probably doesn’t know the original source.
  • Set up 2-factor authentication and alerts on your online accounts.  That way if someone logs in as you, or changes your password, you’ll be notified.

 

The Internet and social media are great sources for interesting and fun information, but don’t let your curiosity draw you into cyber schemes.

 

About Cybersafe

The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.

 

-Walter Kerner

Assistant Vice-President and Chief Information Security Officer

 

Read past issues of the CISO Updates Newsletter here.