MAZEPHISHING: THE COVID-19 PANDEMIC AS CREDIBLE SOCIAL CONTEXT FOR SOCIAL ENGINEERING ATTACKS.

• Author: Kikerpill, Kristjan

1. Introduction

   In The Science of Human Hacking, Hadnagy (2018: 7) defines social engineering as "any act that influences a person to take an action that may or may not be in his or her best interests". According to Hadnagy, the definition is broad and general because the use of social engineering is not always negative. For instance, children persuade their parents to play games, parents convince their children to visit the dentist and spouses are coaxed into attending social events. However, the use of influencing techniques and the application of psychological principles also manifests on the dark side of our ubiquitously connected society--in the form of social engineering attacks and, in particular, phishing. Phishing attacks are cyber-attacks "that communicate socially engineered messages to humans via electronic communication channels in order to persuade them to perform certain actions for the attacker's benefit" (Khonji et al. 2013: 2092). Provided that the basic tenet of phishing is to deliver messages that elicit action, various mediums such as e-mails, voice calls (vishing) and text messages (smishing) are employed in carrying out the attacks (Chiew et al. 2018). Alongside the mediums used, phishing attacks are also categorized on the basis of how the attacks target the potential victims, e.g. more elaborate attacks are dubbed 'spear-phishing' or even as 'whaling' when perpetrated against high-level targets such as CEOs (Hong 2012).

   However, between phishing messages replete with grammatical errors (Chiluwa 2019) and meticulously tailored spear-phishing attacks targeting specific individuals exists a swathe of territory populated by 'context aware phishing' (Jakobsson and Myers 2007: 176), i.e. attacks "mounted using messages that somehow--from their context--are expected or even welcomed by the victim". The importance of context in phishing attacks was predicted to increase due to improvements in countermeasures more than a decade ago (Jagatic et al. 2007). Nevertheless, literature pertaining to the analysis of contexts (Greene et al. 2018, Steinmetz et al. 2021) and salient current events that can impact susceptibility to phishing (Verma et al. 2018, Williams and Polage 2018, Kikerpill and Siibak 2021) is currently scarce. In part, this could be because the focus on human-centric solutions to phishing attacks have started to significantly increase only relatively recently (Ferreira and Vieira-Marques 2018). To fill this gap--and propose a specific term for social engineering attacks with a heavy reliance and emphasis on context--our article presents a study of mazephishing. In the tradition of using 'fishing' references when naming social engineering attack types, mazephishing is inspired by the age-old fishing technique of 'almadraba', a term of Arabic origin meaning 'a place to smite' (see Richardson 2007: 56), where fishermen set up complex underwater mazes of nets to catch tunas during their seasonal migration journeys through the Strait of Gibraltar. Thus, a successful catch depends on (1) proper timing, i.e. understanding the reason why fish are on the move in large numbers at certain times, (2) place, i.e. interrupting the tunas' movement at a location and in a manner suitable for the fishermen, and (3) trap-setting technique.

   In our study, we focus on the social context created by the COVID-19 pandemic because no other interpretive backdrop in recent history compares to the disruption in social circumstances created by this disease. The virus' spreading forced an increase in people's reliance on online resources and digital technologies (De et al. 2020, Vargo et al. 2021). From the perspective of cybercriminals crafting social-engineering attacks, a larger number of people using the means of online communication more frequently constitutes a larger pool of readily available potential victims. In fact, researchers noted a substantial spike of 667% in COVID-19 phishing attacks in the first months of the pandemic (Shein 2020). Hence, the COVID-19 pandemic is operationalized as the credible social context, i.e. the 'timing' aspect of mazephishing, in our study. Context has both an interpretive and a constitutive dimension (Rigotti and Rocci 2006), which means that it helps us interpret received messages but also influences how messages are crafted in specific contexts.

   Having fixed the mobilizing social context on the COVID-19 pandemic, our focus in this article is on the 'place' and trap-setting technique aspects of mazephishing, i.e. how cybercriminals attempted to spring their social-engineering traps. For this, we carried out a content analysis of international news media articles (N = 563) from January-April 2020 that reported on and warned about relevant online scams. More specifically, within the overarching salient circumstances created by the COVID-19 pandemic, we analyse (1) what kind of communicative strategies and topics cybercriminals covered, (2), who scammers impersonated for the purposes of perceived source credibility, (3) what types of communication mediums were employed and (4) to what extent can the six principles of persuasion suggested by Cialdini (2009) be used to explain the message content of the sample social engineering attacks.

2. Theoretical background

   2.1. Salient current events and phishing

   Health crises add a huge burden on the media to keep the public constantly informed (Ogbodo et al. 2020). In fact, previous scholarship (Liu 2020) indicates that the nature of media framing of health information not only helps to form people's understanding of the health crisis, but also shapes people's responses, i.e. influences public behaviour. In short, the media has the power to accentuate or mitigate the crisis depending on the frames adopted in their coverage. Although rumours and questionable information have often been associated with pandemics and crises (Eysenbach 2011), the dramatic increase in the dissemination of bogus information during the COVID-19 initiated an infodemic that enabled to create a "fertile information ecosystem for cybercriminals to exploit" (Naidoo 2020: 317).

   Even though the COVID-19 pandemic is unique in its reach and social impact, it is certainly not the first salient current event to be featured as credible social context in fraud campaigns. Examples from recent history include the aftermaths of forest fires in Australia and Portugal, a hurricane in Puerto Rico and an earthquake in Japan (Grad 2020). Health-related social circumstances have been the credible social context in cyberattacks during the Ebola outbreak in 2014, the Zika virus in 2016 and influenza in 2019 (RiskIQ 2020). However, academic scholarship on the connection between salient current events and social engineering attacks has been scarce (Holt and Graves 2007, Greene et al. 2018, Steinmetz et al. 2021), leaving technology news stories--blog posts or reports as the relevant available sources. To some extent, the COVID-19 pandemic has been the exception. In addition to general COVID-19 themed cybercrime overviews (see Pranggono and Arabo 2021), researchers have drawn connections between earlier disease outbreaks, the COVID-19 pandemic and changes in the cyberthreat landscape (Mouton and de Coning 2020), constructed event and cyberattack timelines (Lallie et al. 2020), proposed approaches on how the COVID-19 pandemic influences cybercrime (Naidoo 2020) and analysed the general communicative approaches employed in pandemic-themed social engineering attacks (Kikerpill and Siibak 2021).

   Although social engineering and phishing have received considerable attention in research literature (see Montanez et al. 2020, Nguyen et al. 2020: Appendix A), our current understanding of the specificities of psychological mechanisms or demographics at work in online fraud victimisation remain limited (Button and Cross 2017, Norris et al. 2019). For instance, the relationship between an individual's personality and phishing susceptibility has been considered weak (Sommestad and Karlzen 2019) or inconclusive (Montanez et al. 2020). Additionally, no anti-phishing training tools that actually use adjustments based on people's personality traits have been identified (Jampen et al. 2020). Furthermore, no one demographic is necessarily more or less vulnerable to online fraudulent activity (Button and Cross 2017, Norris et al. 2019).

   Steps to limit the impact of fraud ought to clearly recognise the universal nature of compliance (Norris et al. 2019: 242), including an acknowledgement of the ease with which people can come into contact with cybercriminals (see Kikerpill 2021). Since the basic tenet of social engineering attacks is to elicit compliance and action (Khonji et al. 2013), the observable tool in such compliance-gaining efforts is the transmitted message. Thus, the background of cybercriminals, which is rarely known even to the law enforcement community (Button et al. 2009: 13), or the specific demographic of the victims (see Button and Cross 2017) notwithstanding, it is paramount to further study how influencing and compliance-gaining efforts appear in the messages that connect perpetrators and potential victims. Given that context impacts both the creation and interpretation of such messages (Rigotti and Rocci 2006), its inclusion in any such analysis is crucial.

   2.2. 'Timing', 'place' and principles of persuasion as 'technique'

   The proposed construct of mazephishing emphasises the combination and interplay of two important aspects, i.e. timing and place (context and medium) and technique (action-eliciting message). Scam messages for and in which context is mechanically manufactured, e.g. ail-and-wail stories of fictional widows wishing to depart with large sums of money (Kikerpill and Siibak 2019: 57-58), are evidently opportunistic. In that sense, transmitting such messages is akin to setting up elaborate mazes of nets to catch fish that may or may not be swimming towards...