New Research Finds Spoofed Media Sites & Lack of GDPR Compliance

Two different studies found spoofed media domains revealing the potential for suspicious activity correlated with top U.S.-based news sources; and GDPR compliance and privacy governance still a challenge for most organizations.

“As distrust of traditional media continues to grow, and individuals continue to consume social networks as trusted news sources, protecting the public from disinformation campaigns has become pertinent to the democratic process,” Corin Imai, senior security advisor, DomainTools. Said. “Our research underscores the need for media outlets to leverage cyberthreat intelligence and maintain vigilance over efforts to undermine their credibility. Further, educational campaigns that raise awareness about these issues will continue to be necessary in mitigating risks that come with malicious activity targeted at legitimate media sources.”

The research uncovered how malicious actors use typo-squatting and spoofing on domains as tactics to carry out malicious campaigns. These campaigns can potentially exfiltrate personally identifiable information, download malware to a device, or spoof news sites to spread disinformation to the public. Imai further explained the method by which these campaigns are successful: “Phishing carried out by typosquatting domain campaigns are particularly worrisome as they allow for seemingly trusted websites, with legitimate SSL certificates, to trick internet users into a false sense of security.”

Some examples of fraudulent domains with a Risk Score of 70-plus (scores of 70-99 indicate domains share proximity to malicious infrastructure) in this research include:

• nytimesofficial[.]com
• usatosday[.]com
• washinqtonpost[.]com
• bistonglobe[.]com
• krebsonsecurity[.]org
• chicagotribunesnews[.]com
• newsdag[.]com
• cosonline[.]cn
• nydaiylnews[.]com

DomainTools suggested best practices for consumers and organizations alike when faced with uncertainty about a suspicious link: exercise scrutiny, and take a closer look at the email sender; take a more careful look at domains in emails and hover the mouse over a hyperlink before clicking; when browsing online to get caught up to speed on the daily news, consider going directly to the source instead of a third-party site as a safer alternative; and flag suspicious emails or newsletters and send those straight to the spam folder.

DomainTools offers several protection tools including PhishEye, which enables organizations to identify existing and new domains that spoof legitimate brands, products, organizations, or other key terms.

Meanwhile, a flash poll conducted by Chicago-based Baker Tilly Virchow Krause, LLP indicated that while the number of respondent organizations that believe they are compliant with the General Data Protection Regulation increased more than 20% in the eight months following the May 25, 2018 enforcement date, nearly 67% of companies responding to the poll are still not compliant. Additional data showed 36% of respondents identified information technology as responsible for data privacy at their organization.

“Privacy governance is relatively immature with organizations only beginning to incorporate it into their strategy,” David Ross, principal and growth leader of Baker Tilly’s privacy and cybersecurity practices, said. “At its core, privacy is a risk-based issue, not an IT or security problem. A sustainable privacy program requires a multi-disciplinary approach that incorporates governance, compliance and risk management disciplines from senior management, finance, IT, security, HR and other functional areas.”

GDPR is becoming the de facto standard for privacy regulations in the U.S. and across the globe. “If an organization is compliant with GDPR, the organization is already approximately 90-95% compliant with the California Consumer Privacy Act,” Mike Vanderbilt, director with Baker Tilly’s privacy practice, said. “Working toward a sustainable privacy program enables an organization to pivot and adapt as new regulations unfold.”

Baker Tilly recently held an educational webinar, “The rise of privacy: a risk-based approach to privacy oversight, compliance and management,” providing insight into how organizations can prepare for enforcement, ongoing monitoring and compliance in an evolving privacy regulatory landscape.