Clickbait scams: Curiosity swindled the cat

Clickbait scams generate interest in people with surprising or alarming news to get them to click on malicious links

“Could the Golden Gate collapse?”, “The surprising news released by Real Madrid”, “In which sunny city will the next Olympic Games be held?”… You are probably used to coming across headlines that do not provide you with the most relevant aspect of a news item, but seek to get you to click on the link and access it. This practice, which aims to maximize the sensationalism of the headlines or to present the most unrealistic offers, traditionally used by the media, is called clickbait, and its mission is to increase the traffic of visitors to their content.

Each click to these web addresses is monetized through advertising, hence the importance of attracting the reader’s attention. However, the greatest risk lies in fake websites promoting phishing scams or even spreading malware.

Another problem associated with these websites is that they often use obsolete or unpatched software, increasing their vulnerability to compromise. Therefore, although the initial clickbait may not be designed to commit fraud, its use can become a risk for the reader because he has been attacked.

Such has been the expansion of its use in recent years that the word “clickbait” became part of the Oxford English Dictionary in 2016.

Below, we will unravel the keys to clickbait scams and how to prevent them because, no, the title of this article is not clickbait.

1. Where do clickbait scams start?

The natural habitat of clickbait scams is social networks. The media, public administrations, companies and citizens are constantly sharing web pages on platforms like Facebook, LinkedIn, Instagram or X.

X is the most widely used application for clickbait fraud, as it has become the social network for information par excellence over the years.

For example, during the DANA crisis that devastated Valencia, the Transport Minister’s messages on X, informing people about the works to repair the damaged infrastructures, became famous.

Thus, when millions of people want to keep up to date with what is happening in the world, learn about the latest controversial events or find out about events that are taking place, they turn to X for information.

Cybercriminals know this and take advantage of people’s need for information or their curiosity to discover information they did not know about to deceive them through this platform.

Beyond social networks, malicious actors can combine clickbait scams with another social engineering technique such as SEO poisoning. To what end? To get malicious websites to appear in the top positions when using search engines such as Google or Bing, while the headlines generate the need to click on them.

It is also possible to commit clickbait fraud through phishing, smishing, or sending messages through instant messaging applications such as WhatsApp or Telegram, although citizens are less inclined to click on them.

2. How are victims seduced?

The operation followed by cybercriminals when carrying out clickbait scams on social networks is very simple.

2.1. They create fake social network profiles

Malicious actors create profiles on social networks from scratch and provide them with content to not arouse users’ suspicions and gain their trust.

These profiles sometimes impersonate companies, public institutions and well-known individuals to lend greater credibility to their posts and the pages they share.

In addition, the possibility of criminals hacking into social network accounts to take control of legitimate profiles and use them to commit clickbait fraud and other types of scams must also be considered.

2.2. They create the posts

The next step of the clickbait scam operation revolves around elaborating the content to be shared. How the malicious website is previewed on platforms such as X or Facebook and the accompanying message, which should generate the desire to click on the link, is fundamental in this regard.

2.2.1. Communication strategies

Since clickbait requires a significant volume of visits, these sites often use the following communication strategies to increase their traffic:

• Sense of urgency. For example, reporting on a supposedly breaking news story is very important.
• Ambiguity. Use vague titles that encourage people to want to know more about the issue.
• Emotional manipulation. Messages appeal to our deepest emotions such as fear, passion, hatred or hope. In this way, victims are encouraged to click in an unreflective way.
• Sensationalism and surprising images. One of the latest clickbait scam campaigns detected in X involves the malicious website’s preview image, which looks like a video or image to which X has applied its sensitive content filter. So when X users click on the image to disable the filter, they are redirected to malicious websites. In the case of this campaign, victims were lured by using a major earthquake in Japan and a Ukrainian invasion of the Russian city of Kursk as bait.
• Obtaining a special offer or discount, also known as malvertising. There are few things we humans love more than bargains. That is why many clickbait scams promise victims exclusive discounts if they click on links. This typology is common when it comes to committing cryptocurrency scams.

An alternative to creating posts is the publication of comments on the content shared by the media. Such comments provide additional information to the news, such as alleged videos or photographs of an event that can be viewed by clicking on the link.

2.2.2. Technical strategies

However, technical strategies are also used to maximize traffic or mask the action behind the purported communication. Some examples are:

a. Use of content distribution platforms

To disguise the intended purpose, one of the most commonly used methods is the so-called “native advertising”. This involves dressing the advertisement’s content to take on the physical appearance of the site on which it appears or of a reputable media outlet. The objective is to generate difficulties for the eventual final reader in discerning whether it is official content or not.

b. Impersonation

It is very common to detect publications of this type that impersonate third parties, organizations or media to give greater credibility to the content that is sought to be consulted.

c. Clickbait masked in PDFs

The risk of downloading PDFs from suspicious sources, traditionally sent via email, is well known. The novelty in this case is the use of non-benign PDFs presented as legitimate when we do ordinary searches, for example, linked to an instruction manual, an official form that needs to be filled in or a recently published report.

This strategy is enhanced by how commercial browsers currently work, which allows PDFs to be viewed in an integrated way, opening them as if they were a web page. This functionality is especially confusing for unsuspecting users.

d. Exploitation of third-party website vulnerabilities

Although this action requires technical knowledge, more and more news sites are affected. To exploit vulnerabilities in these websites, it is necessary to know the details of the web stack, as this provides information on the set of software associated with web development, such as the operating system, the server, the programming language or the software used as a database. Knowing this information allows fraudulent actors to warn if any of these technologies are outdated, a scenario that facilitates the detection of vulnerabilities and exploits to compromise their use.

This technique, coupled with the greater outdatedness and neglect of updates that ad sites tend to have, makes them and their readers more vulnerable to phishing and malware actions, among others.

e. Use of generative AI applications

Although their use is new, it is increasingly common to use tools such as AIPRM or Jasper to automate the generation of content already optimized under SEO parameters, thus resulting in increased traffic to the site.

2.3. Redirecting users to fake and dangerous sites

The operation is similar to the rest of the channels used to commit clickbait fraud. In the case of phishing criminals, these malicious actors impersonate well-known companies, create emails that catch the victims’ attention are consistent with the identity of the impersonated company, and finally redirect them to fake websites.

3. What happens after clicking?

At this point clickbait scams work in the same way as many other social engineering techniques: victims land on fake pages where they are asked to enter credentials:

• They are asked to enter login credentials for legitimate platforms and applications whose identity has been spoofed.
• Users are asked to provide personal information that can be of great value for future attacks.
• Victims are led to download a file that is infected with malware.
• Victims are persuaded to install browser extensions that appear legitimate, for example, to view a supposed video, but are actually malicious.

In this way, the criminals behind clickbait scams can accomplish their goals:

• Take control of citizens’ and companies’ social media accounts.
• To illegitimately access personal or corporate applications such as email managers or work environments.
• Enter banking applications or online accounts and commit financial scams.
• Tricking users into making payments on investment platforms or purchasing products on fake e-commerce sites.
• Using ransomware to hijack personal or business information, demand a ransom and trade the data on the Dark Web.
• Use spyware to spy on users of infected devices.
• Collect information that could be useful for future attacks against citizens and companies.

Thus, an action as inconsequential as clicking on a post on social networks can end up causing a serious security incident not only for the person who clicked on it but also for the company he works for.

4. Hugh Jackman is not going to give you investment advice

If the dangers associated with fake news and clickbait scams were not serious enough, a factor that further complicates scam detection has come into play: generative AI.

Artificial Intelligence systems such as ChatGPT, Midjourney or Sora open up many possibilities for companies and professionals to perform their functions. But they also bring with them undesirable consequences. Criminals can use generative AI to perform voice and image deepfakes or generate illustrations and texts that can be used to deceive users of social networks.

For example, in Australia this year, a clickbait scam campaign was detected that impersonated famous people such as actor Hugh Jackman using AI-generated deepfakes.

This actor, famous for playing Wolverine in several films, recommended investing in malicious investment platforms requiring a prior payment. That tricked users into paying more in exchange for supposedly never-obtained benefits.

5. What basic recommendations can citizens and companies follow to avoid clickbait scams?

The best recipe against social engineering attacks combines common sense and prudence.

Social networks are part of our daily lives and have become important business tools for companies.

Criminals know this, so they see these platforms as a thriving ground for scams such as clickbait scams. Therefore, it is essential that citizens:

• Do not click on links that come from accounts they do not know.
• Read social media posts carefully and evaluate whether they face fake news.
• Confirm possible news of great relevance in reliable media before clicking on a suspicious link.
• Leave immediately without taking action if a social media post takes you to a web page you are unfamiliar with or asks for information such as login credentials.
• Avoid downloading any file or installing an extension from a website accessed through a social media post.
• Watch videos and images carefully to detect possible deepfakes.
• And always remember, there is no such thing as a bargain.

For their part, companies can have a protocol of good practices in using social networks to prevent their employees from clicking on malicious links while at work or when using corporate devices.

They can also hire a social engineering test to check their resilience to clickbait scams and train their staff to be prepared to deal with these scams.

6. What role does cyber intelligence play in the fight against social engineering?

As we have been pointing out throughout this article on clickbait scams, two of the most common strategies of malicious actors are:

• Hacking social network accounts to take them over and employ them in a criminal manner.
• Impersonation of popularly known and prestigious companies.

In both cases, clickbait frauds directly affect companies even if they are not the target of the scams. How can they fight against this fraudulent activity? Cyber intelligence services are key in quickly identifying fraud cases and obtaining critical information about them: campaigns that have been launched, hostile actors behind them, the technology they use along the way, and behavioral patterns.

So, the information obtained and analyzed by cyber intelligence professionals is critical to block clickbait fraud campaigns early and prevent them from damaging corporate reputations and negatively impacting companies’ customers.

However, it is not only a matter of avoiding the direct impact but also warning of frauds associated, for example, with advertisements, since the illegitimate impersonation of the organization can also lead to loss of trust and other reputational impacts.

In short, clickbait scams represent a new twist by cybercriminals when it comes to deceiving and defrauding citizens and companies. Fake news is no longer just a socio-political problem but also directly threatens citizens and the productive fabric.