In the past year, we’ve heard a lot about the rise of fake news.
Often these stories are laughably false, like the one that said Pope Francis endorsed Donald Trump for President (he hadn’t), or the one claiming that the Mayan calendar had been updated and the world would be ending on January 20, 2017 (it didn’t).
As we all know, real fake news stories are written like professional news articles, have the same journalistic style, and often appear on websites that are nearly indistinguishable from legitimate news sites.
As a result people are all too willing to share these stories on Facebook and Twitter, where their friends will often re-share without looking too closely at the original story. And that’s the goal: By tricking a few people, they build a tidal wave of social amplification that helps to advance a certain point of view — or to erode trust in the media.
But the news media isn’t the only industry that is swamped by fakes. Companies across a large swath of industries also have to deal with fake websites, emails and products. And even governments have to watch out for fake communications.
Fake Communications, Fake Websites
For example, customers of Charles Schwab may have received an email recently that appeared to be a warning about irregular activity on their account. It said that their account had been locked for their protection, and asked them to click on a link in order to unlock the account and verify their identity.
Unfortunately, the email was a fake. If recipients looked closely, they would have seen that the sender wasn’t schwab.com, but scwab.com.
Earlier in the year, the document-signing service Docusign had to deal with a similar outbreak of fakes. Hackers got ahold of a list of 100 million customer names and emails, and then used that list to craft an email campaign aimed at DocuSign’s customers. Emails looked like a request to sign a DocuSign document, but actually contained a nasty payload: A Word document with macros in it that, if run, would download malicious content from the web.
This happens enough that DocuSign actually has a web page warning its customers about phishing attacks (it notes six separate phishing campaigns in the past 12 months) and telling them which fake emails they need to watch out for.
In our business as the inventor of an email trust platform, we’ve seen hundreds of millions of fake emails from senders pretending to be various U.S. companies in order to trick the recipients into clicking on a malicious link, enter a password on a bogus site, or download an attachment containing malware. The emails originate from all over the world, although in many cases the senders cluster in the U.S., Russia, China, and India.
Fake emails and fake company websites, like fake news stories, erode trust in the legitimate ones.
Governments Under Attack
What’s worse is that these fakes can also target governments. For instance, it recently came to light that Russian hackers have been targeting U.S. officials staying in European hotels. The hackers got into the hotel’s Wi-Fi networks by tricking hotel staff into downloading a fake reservation document that actually contained a malware payload (and yes, they used a fake email to do it). In one case they also got a government official to download malware directly with a fake update to the Adobe Flash software.
What if you were applying for a visa to visit the U.S., or a green card? Right now, it’s way too easy for hackers to impersonate U.S. agencies, such as USA.gov, USCIS.gov (the Citizenship and Immigration Service), and CBP.gov (Customs and Border Patrol), by sending emails to individuals that appear to come from those sites. Imagine that you were waiting for a decision on your visa, and you got an email that appeared to come from USA.gov asking you to click on a link to confirm your personal details? Would you click on it?
Similarly, the IRS puts out warnings almost every year telling U.S. citizens to watch out for fraudulent emails from scammers pretending to be IRS agents.
What We Can Do
There’s been a vigorous debate about what we can do to stop the spread of fake news, but the solutions aren’t immediately obvious. Google, Facebook, and others have promised to crack down on fake news sites by de-prioritizing them in search results and news feeds, but determining which news sites are legitimate is still difficult and contentious.
Fortunately, when it comes to websites and email communications, there is a solution at hand. The Domain Name System (DNS) that handles domain names like IRS.gov and Docusign.com is a globally-accepted, distributed, secure database of brand identity for organizations, both corporate and governmental.
If you use a web browser to visit any site, like IRS.gov, you can be quite certain that what appears in your browser is coming from the IRS. With the addition of SSL certificates, there is an additional layer of authentication, because your browser can compare the certificate it receives from a site with the information published in DNS, enabling it to confirm that the communication hasn’t been intercepted and modified by some malicious third party.
Similarly, email authentication technologies use DNS to authenticate email messages. When a web server receives a message, it checks to see whether the apparent sender has published email authentication data to DNS. If so, it can use the data published there to verify whether the incoming message is legitimately authorized by that domain or not. Unfortunately, in the case of Docusign.com, as with many domains, that protection has not been enabled. (Our domain checker has the details on email authentication configuration for Docusign.com.)
In the future, DNS may evolve to become a much more widespread platform for authenticating communications of all kinds.
While there may not be a central authority to help us decide which news sites are fake, there is such an authority for domain names, and it’s the DNS. That’s a good place to start in the war on fakes.