• United States




The 1 thing clickbait sites don’t want you to know will leave you breathless

Jun 27, 20174 mins
BrowsersData and Information SecurityRansomware

German philosopher Arthur Schopenhauer said that “one can never read too little of bad or too much of good books: bad books are intellectual poison; they destroy the mind. Take Schopenhauer’s advice – don’t click.

One of the tenets of information security awareness is to have restraint when it comes to clicking on unknown links. This is important as ransomware is becoming a larger threat.

Even though it’s been around for a while, clickbait is seemingly back with a vengeance and not going away anytime soon. Clickbait is web content where the goal is to have the reader view not necessarily the content, but advertisements and offers. The user is drawn to the website with dramatic titles in the hope they will click.

The web is advertisement driven and legitimate sites provide content, with ads. Sites such as Ars Technica, Vox and myriad others are primarily news sites with ads. When it comes to clickbait, the ad and banners are the driver and content is secondary.

How bad is clickbait? Even the Better Business Bureau has an advisory warning of the dangers.

Clickbait sites generally have salacious and histrionic headlines like:

  • 24 rare historical photos that will leave you speechless
  • 20 rare images of the old west that will make your skin crawl
  • History’s rarest images: 50 photos that will stop you in your tracks
  • 25 hidden facts from [TV show] producers tried to keep from the public
  • 25 facts you didn’t know about the movie [name]
  • [TV show name]: astonishing facts revealed about the cast and crew
  • 25 little-known facts about [topic]
  • Your poorest ancestors and the shocking conditions they lived through in life

The telltale sign of a clickbait site is the inability to see all content on a single page. The incessant clicking is meant to spur the user to click on ads or go to another clickbait story.

In Photos Of Shelter Dogs The Moment They Realize They’re Being Adopted, seeing pictures of the 31 canines takes 31 clicks. Going through all 31 clicks will bring up close to 1,000 links and images for paid content and other clickbait stories.

The story Police heard strange noises coming from a shipping crate and couldn’t believe what was inside, takes 20 clicks to read. Each click leads to a page with about 30-40 words, and another Next screen to click.

Another sign of a clickbait site is that the information is often generic with little added value, and often simply sourced from Wikipedia.

For example, the clickbait story In 1961 This Little Girl Was Found Adrift At Sea. Decades Later She Revealed The Horrifying Truth, takes 15 clicks to read. The first page details the story of Terry Jo Duperrault. Google that name and one of the first results is a Wikipedia entry and a Reader’s Digest story that can be read in a single click.

Knowing that, many clickbait sites no longer mention the names of the main characters to ensure the reader stays on the page and clicks.

Many clickbait sites also have links to software, which can be sources of adware, trojans, malware and ransomware.

Here are some solutions:

1. Web filtering

Most web filtering solutions to date don’t do a good job of blocking clickbait sites. Given the broad definition of what it is, they are often reticent to block such a gray category. So, don’t expect your web filter to be much help.

2. Manual blacklisting

This works, but can be a hassle to maintain. There are thousands of clickbait sites, with new ones continually springing up. Manual blacklists are a solution; but an imperfect and stopgap one at best.

3. Ad blockers

Like blacklists, ad blocking plug-ins and extensions are a partial solution.

4. Facebook

Often Facebook will list a ‘Suggested Post’ which may be a clickbait site. Since Facebook makes money off these advertisers, they don’t have an incentive to stop linking to clickbait sites.

5. Awareness

As imperfect as it is, end-user awareness is often the last and best resort. Users need to be trained that reading clickbait stories are generally an utter waste of time. Worse, these sites can be storehouses for malware and ransomware. And as everyone knows, having ransomware is something that will make your skin crawl.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.