Television and radio broadcasters long ago learned that they could keep viewers and listeners tuned to their stations with “teasers,” or short announcements made before commercial breaks that promised exciting new information when the broadcast resumed.
Internet marketers extended the “teaser” concept into “clickbait,” which promises new or exciting information for a user who clicks a link in an email or on a social media site. The success of clickbait attracted hackers and cybercriminals, who are now using it to terrorize corporate information systems networks.
A 2016 analysis of the “Kovter” malware campaign reveals the risks that corporate networks face from clickbait and adware. The analysis suggested that corporate cybersecurity teams downplay clickbait and adware risks because of perceived greater threats from ransomware and other network cyberattacks.
Yet once a clickbait link passes a corporate network firewall, it can propagate to other network users and remain installed within the network. Cybercriminals are then able to remotely upgrade the link to give themselves greater control and access to other information on the network. Rather than crippling the network, the cybercriminals leach information from it that they are then able to sell to other hackers.
Network security personnel who try to block clickbait links from their networks are likely attempting to hold back the tide. Those links are prevalent throughout Facebook, Twitter, and other social media platforms, and hackers are increasingly proficient in convincing their targets to click on them. They frame clickbait links as enticing human interest stories, or they analyze a target’s social media habits and frame clickbait links to match the target’s interests. An employee who briefly lets his guard down or who is looking for a diversion from the routine of daily tasks might click on a malicious link without giving it a second thought. That one click can create a crack that later compromises an entire network.
Social media sites are one of the greatest threats to corporate networks because they are rife with ads and postings that include clickbait. Network cybersecurity experts recommend that corporations implement a number of steps to maintain their network security and to minimize the social media clickbait threat:
- Audit your own company’s social media presence. Understand who has authority to post information and how information is secured and monitored.
- Monitor different social media platforms to confirm that the company has no unauthorized social media presence.
- Establish a baseline for traffic on the company’s website and social media presence, and use that baseline to detect unusual amounts of traffic.
- Maintain strong policies that keep employees informed of what they can and cannot do online while they are signed into a corporate network.
- Watch social media platforms for unexplained changes and deviations not just in average traffic, but also with respect to the nature and quality of information that is disseminated about a company.
Employee compliance with policies may be the most difficult step to implement and enforce. Companies should emphasize, for example, the employees should never take online quizzes or surveys that are posted on social media, that they should not provide personal information or email addresses in order to access a social media posting, and that they should stay away from sites that entice them with information about popular culture.
Even the most stringent corporate policies, however, will not provide an absolute guarantee that an employee will refrain from clicking on an infected clickbait link. When that happens and a corporate network is compromised, the company’s direct and third-party costs can exceed hundreds of thousands or millions of dollars. In that case, network security insurance can be a critical tool to reduce the company’s exposure and losses. Cybersecurity insurance carriers can also work with a company to upgrade its network security and to reduce the risks of clickbait-associated malware attacks.
