Lies proliferate on social media, and it is even harder to sift out truth from fiction when it looks like the message is coming from a real person. Mix in some uncertainty as to whether the falsehood is part of a deliberate campaign to hurt the company or just typical online shenanigans, and it’s the beginnings of a security headache.
Dealing with false claims posted on social media or other online platforms falls under online reputation management and is generally the responsibility of marketing or public relations, not traditional security. And while disinformation is getting a lot of attention in security circles, the discussion primarily tends to be in the context of election security. However, hacking social media accounts, or creating fake accounts, to post false messages about a company is absolutely a disinformation campaign and warrants at least some kind of a discussion within the security team.
“We are seeing more instances of individuals and groups using disinformation tactics to target companies, which is much more than a brand issue,” said Cindy Otis, director of analysis at Nisos.
Earlier this week, a Twitter account belonging to an English professor posted that Olive Garden was one of the companies “funding Trump’s election in 2020” and suggested that people should stop going to the restaurant. As is fast becoming common whenever politics and well-known brands collide, Twitter users responded with calls for a boycott. Over a two-day period, the #BoycottOliveGarden received more than 52,500 mentions (including tweets, quote tweets, and retweets) by 48,700 users, and had a reach of 139.4 million and 169.4 million impressions.
The initial message was false.
“We don’t know where this information came from, but it is incorrect. Our company does not donate to presidential candidates,” the restaurant chain posted on its social media channels over and over again, trying to counter the boycott messages. When the speculation switched to the restaurant’s parent company, Olive Garden added, “To clarify, Darden does not donate to federal candidates.”
While this looked like just another day of social media monitoring and political discord on Twitter, there was a twist: the person was not responsible for the initial message.
A Cascade
About a day after the initial message was original posted, the owner of the account said someone had compromised the Twitter account and posted that false detail about Olive Garden. The original message was removed and the account owner tried to set the record straight, but lies spread much more readily on social media than truth. And once a lie gains traction, it is really hard to debunk it.
“Social media posts like this were often the initial stages of a cascade,” said Greg Young, vice-president of cybersecurity at Trend Micro. The more legitimate an account appears, the more likely that the message will get amplified. A compromised account—such as that of an established English professor—is the “perfect seed,” Young said.
While disinformation campaigns frequently rely on a bot army or a network of fake accounts to post and spread the false content, a Massachusetts Institute of Technology research found that false reports get retweeted more by humans than bots. This is the cascade Young mentioned—as the false information percolates through the platform, the legitimate uncompromised accounts increase the campaign momentum as regular people start pushing the content.
“The idea was to get the ball rolling in order for the natural effects of a social network to take the planted message and make it trend,” Young said.