Disinformation-as-a-Service: Content Marketing’s Evil Twin

Are you tired of all the BS out there on the internet? It's about to get A LOT worse. Dirt-cheap disinformation-as-a-Service campaigns are a thing now. And threat actors can target anyone.

Leveraging fake news for political gains is not new. What IS new is that anyone can now buy these services on the Dark Net for as little as $200. That's right, for just 200 bucks, you can have a professional disinformation campaign launched against your target.

What is Disinformation-as-a-Service (DaaS)?

Disinformation-as-a-Service (DaaS) is a new model of information warfare where anyone can buy fake news and misinformation campaigns and spread them across the internet. DaaS is made possible by a network of professional trolls, bots, and other online manipulation tools readily available for hire.

DaaS providers make it easy and affordable for anyone - from political campaigns to businesses to ordinary citizens - to wage information warfare. All you need is a credit card and an internet connection.

With DaaS, malicious actors don't need to create false news stories - they can outsource the work to professional disinformation services. It's like a PR agency from hell, created to ruin reputations instead of building them up.

What's even scarier is that these services are becoming more and more sophisticated. DaaS providers can create entire fake news ecosystems, with websites, social media accounts, and even video footage - all designed to spread their lies far and wide.

It gets worse.

The campaigns are dirt-cheap. So if you thought the internet was a cesspool of misinformation before, just wait - it's about to get a lot worse.

What kind of goals can these campaigns achieve?

The goals of these campaigns can vary, but they typically fall into one of two categories: financial gain or reputation damage.

• In the case of financial gain, the attackers may be looking to manipulate stock prices or spread false information about a company to drive down its value.
• In the case of reputation damage, the attackers may be looking to destroy someone's credibility or cause embarrassment. For example, they may spread false rumors about an individual or organization or release sensitive information obtained through a breach.

Imagine you're a small business owner. You get into a disagreement with a supplier, things get heated, and they decide to launch a DaaS campaign against you: they create fake news stories saying that your products are unsafe and spread them across the internet. They might even create a fake website like yours and fill it with negative reviews. And since these services are becoming more sophisticated, they might even create deepfake videos of you saying things you never said.

By the time you realize what is going on, your reputation is in tatters. And the sad thing is, there's not much you can do to defend yourself. Even if you manage to track down the source of the disinformation and get the fake stories taken down, the damage has already been done. And your supplier can claim that they had nothing to do with it - after all, it's nearly impossible to prove that they did.

And that's just one example. There are endless ways businesses can be targeted by DaaS campaigns - from competitors to disgruntled employees.

Whatever the goal, there's a service: deep fakes, AI-generated fake news, paid influencer campaigns, and good old-fashioned human-created false stories are all up for sale.

The bottom line is this: if you're doing business online, you need to be aware of the risks posed by DaaS campaigns. Disinformation is a serious threat, and it will only become more common in the years to come.

The DaaS ecosystem

The DaaS ecosystem is complex and ever-evolving, making it difficult to track and counter. This is made even more challenging by the fact that many of the players involved are located in countries with little or no regulation.

Here's a quick overview:

• Troll Farms: These professional operators generate fake news and other forms of online disinformation. They are often located in countries with lax laws and little regulation, such as Russia and China.
• Bots: Automated accounts that spread fake news and other forms of online disinformation. They can be used to create the false appearance of consensus or to silence dissenting voices.
• Fake News Sites: Websites that publish fabricated stories designed to deceive and mislead. They often mimic mainstream news sites in order to gain trust and credibility.
• Social Media Platforms: Digital platforms that allow fake news and other forms of online disinformation to spread. They include Facebook, Twitter, and YouTube.
• Influencers: Social media users with large followings can be leveraged to spread disinformation.
• The Dark Net: The Dark Net is home to a number of marketplaces where DaaS services can be bought and sold. These marketplaces are anonymous, making it difficult for law enforcement to track down the people behind them.

The anatomy of a DaaS attack

According to Trend Micro, DaaS attacks follow a similar pattern:

1. The attacker identifies their target. This could be a political opponent, a business rival, or even an ordinary citizen.

   
   

2. The attacker hires a DaaS provider to spread disinformation. This is usually done through a marketplace on the dark net. And the price is cheap.

   
   

   According to The New York Times expose of a Chinese propaganda campaign, fake social media accounts are run for as little as 5,000 RMB/month (~$785).

   
   

   Wired, referencing Trend Micro, detailed the following costs for a DaaS campaign:

   -Create a fake 'celebrity’/influencer social media account – $2,600

   -Discredit a journalist – $55,000

   -The 12-month political campaign to change people's opinions – $400,000.

   
   

   These numbers are well within the budgets of many medium size companies, and the prices keep getting cheaper.

   
   

3. Reconnaissance: The DaaS provider gathers information about the target and analyzes the target audience. Then they select a “Key Story” (i.e., the version of facts to be spread to the target audience) and work out background stories supporting this key story. DaaS customers can pick from a menu of options: articles, blog posts, videos, social media posts, social media accounts, and bots for spreading and amplifying the message, deep fake audio recordings, and deep fake video footage.

   
   

4. Delivery: the disinformation is spread across social media and other digital platforms.

   
   

5. Exploitation: Controlled, targeted promotion among small but active groups of supporters.

   
   

6. Persistence: The goal is to achieve persistence by having the target audience actively promote the story on their own

   
   

7. Sustainment: After establishing the key and supporting stories, attackers will keep the activity outstanding. At this stage, they will assess metrics to see if the operation was successful and examine lessons learned to help increase the success of future campaigns.

   
   

8. Actions on object: Choose or prepare to carry out actions due to the changed public opinion. For example, they can call for a boycott of a specific company’s products.

   
   

Remove traces: Distract the public to get them to switch their attention to another topic, blurring what happened and minimizing civil disturbance.

Why organizations should care about DaaS campaigns

While DaaS is widely associated with fake news and politics, the reality is that any organization can be targeted by a DaaS attack.

This was highlighted in a report by PwC, which found that businesses were the second most common target of DaaS attacks (after governments).

Organizations should be aware of DaaS campaigns for a number of reasons:

• Reputational damage: DaaS campaigns can damage an organization's reputation by spreading fake news and other forms of online disinformation. This can lead to lost customers, investors, and partners.
• Stock price manipulation: This was seen in the case of the Pfizer/BioNTech vaccine, where a fake news story caused a significant drop in the stock price of both companies.
• Financial loss: DaaS attacks can also be used to manipulate stock prices. This was seen in the case of the Pfizer/BioNTech vaccine, where a fake news story caused a significant drop in the stock price of both companies.
• Legal liability: Organizations can be held liable for the spread of fake news and other forms of online disinformation. This is especially true if the organization is seen as contributing to the problem.
• Operational disruptions: DaaS campaigns can disrupt an organization's operations by overwhelming its systems with false information. This can lead to lost productivity and revenue.

How to protect yourself from DaaS campaigns

Unfortunately, like with pretty much everything in cybersecurity, there's no silver bullet. But there are some things you can do to lessen the chances of falling victim to a DaaS attack, such as:

• Evaluate risk: Organizations should evaluate their risk of being targeted by a DaaS campaign. This includes assessing the organization's vulnerabilities and the motivations of potential attackers.

• Automate social media monitoring: Organizations should monitor social media for signs of DaaS campaigns. This includes looking for fake news, doctored photos, and audio recordings. Working in tandem with the PR and marketing departments is the key here.

• Encourage employees to report suspicious activity: Organizations should encourage their employees to report any suspicious activity they see online. This includes fake news, doctored photos, and audio recordings.

• Implement technological solutions: Organizations can implement technological solutions to protect themselves from DaaS campaigns. This includes using social media monitoring tools and content filters.

• Support fact-checking efforts: Organizations can support fact-checking efforts by funding organizations that combat fake news and other forms of online disinformation.

• Create a recovery plan: Organizations should create a recovery plan in case they are targeted by a DaaS attack. This includes having a way to quickly identify and remove fake news and other forms of online disinformation.

• Invest in reputation building: Organizations should disseminate accurate information about the organization and its products and services. This includes using social media, news outlets, and other channels to correct false information and build a strong brand reputation. Having an agile PR and marketing team is key here.

• Take legal action: Organizations can take legal action against attackers who engage in DaaS campaigns. This includes filing lawsuits and working with law enforcement.

  
  

While there's no foolproof way to protect against DaaS campaigns, taking these steps will help lessen your organization's chances of being targeted.

Prepare for the worst

Managing reputation is an ongoing effort, and the rise of disinformation as a weapon makes it more important than ever. Don't wait until you're under attack to start preparing. Be proactive and take steps now to protect your organization against disinformation campaigns. Make sure you have a plan in place and the right people on your team to execute it.