Analyst1 > Resources > Blog > The Cheap and Devastating “Mechanisms of Persuasion” of a Futurist Cybercriminal Attack Model
Dark Mode
The Cheap and Devastating “Mechanisms of Persuasion” of a Futurist Cybercriminal Attack Model

The Cheap and Devastating “Mechanisms of Persuasion” of a Futurist Cybercriminal Attack Model


Written by Tim Pappa, Senior Behavioral Consultant

WARNING: This blog post may contain references to child abuse and the mistreatment of children. These topics can be deeply distressing or triggering for some readers. Please proceed with caution and prioritize your emotional well-being. If you or someone you know is affected by these issues, consider reaching out to a support organization or professional for help.

Introduction

The arrest and extradition to the United States last month of Maksim Silnikau aka Maksym Silnikob aka J.P. Morgan was widely reported, noting that his strains of Reveton and Ransom Cartel demonstrated one of the first ransomware-as-a-service business models.

Much of the reporting and his federal indictment has focused on his and his co-conspirators’ use of or lease of malvertising to transmit scareware and malware to victims’ devices or systems.

But there was only brief mention of one of the techniques used related to deployment of one of these malware strains – victims of Reveton would receive messages claiming to be from law enforcement, accusing them of downloading undefined child abuse content and threatening and demanding significant fines to avoid arrest and imprisonment. 

This scam would result in nearly a half a million dollars extorted from victims every month between approximately 2012 to 2014.  In at least one known example, a victim took his own life and his son’s life out of fear of going to jail.

This scareware version of extortion may have influenced victims in a manner like sextortion.  Sextortion is generally understood to involve an offender possessing or coming into possession of a victim’s nude content and threatening to release or share that content with others unless they are paid or provided with additional content from the victim.

In this scenario involving Reveton, victim may or may not have been involved in downloading explicit images of children, but the fear of exposure was likely like what a victim might experience if they were being extorted based on their own nude or sexual content.

There have been other recent unrelated versions of this sextortion-like approach.  As an example, victims were emailed and addressed by name with a message from an unknown cybercriminal claiming to have possession of explicit webcam footage or explicit browsing history of the victim.  The email message included a Google maps photo of their home and a demand for thousands of dollars in payment or the content will be released to the victim’s friends and family.

There has also been increasing reporting in Nigeria-based cybercriminal rings targeting teenagers with sextortion, which has led to some of those teenagers taking their own lives.

These are not necessarily sophisticated technical approaches to victimizing people and networks, but they can be devastatingly effective with minimal effort.

In this article, I will briefly explore a historical case of prisoners from a decade ago masquerading with fake dating profiles as underage women to sextort military personnel, but within a context of cyber threat.  I will also introduce some of the relevant research on behavioral models of fear appeals and shame and how both can motivate different cultures.

This article suggests there are models of shame and fear that will likely continue to be weaponized in cyber threat sextortion context with minimal infrastructure or skills required.  This may be a futurist anticipated shame cybercriminal attack model that could become more lucrative for cybercriminals than anything we have seen.

How sextortion makes everyone vulnerable

Dozens of South Carolina prisoners and accomplices nearly a decade ago victimized more than 440 military personnel out of hundreds of thousands of dollars using contraband cellphones, masquerading as mostly women sending nudes but then revealing they were underage women, and masquerading again as the underage woman’s father until the military victim wired money.  The masquerading father would threaten to report the nudes to the military or law enforcement.  Many of these inmates were in jail related to prior armed burglary and assault convictions.

Many of the victimized military personnel were combat veterans who were married with children and who were also struggling with complex behavioral health issues such as post-traumatic stress disorder (PTSD), depression, and substance abuse disorder.

Several victimized military personnel committed suicide, sometimes moments after contact.

While I am describing what could be characterized as a particular American military cyber victimology, the effect of this kind of cyber-attack could be broadened.

Sextortion can take many forms, but generally involves the use of compromising personal nude images to coerce victims to share more images or send money, for example.

Online criminologist Cassandra Cross found that in many cases of sextortion, the offender may not possess any explicit images, but the offender influences the perception of the victim that they do have those images or content.  What makes sextortion unique is that this extortion is often unknown to people in a relationship with the victim.  Offenders use shame to intimidate their victims and discourage them from reporting the crime.  This is also a way to isolate a victim.

The possible forms of psychological distress for every victim, whether they are running a company, or a network administrator are dynamic and different for everyone, but that suggests these are difficult to protect or regulate.

The futurist model proposed in this article could include not only cybercriminals but nation state and non-state attackers as well.  The origin of the attacker is less important than the ease of victimizing people with limited infrastructure or technical skills.

Perhaps another surprising find is that males and younger males are increasingly considered to be the most common sextortion victim, which largely reflects the information security population.  These are likely the kind of victims we might find defending networks of interest.

Exploring the dynamic range of “mechanisms of persuasion”

There are a range of broad taxonomies or types of negative affect like fear to characterize how affect and information processing influence people and how the use of these “mechanisms of persuasion” can drive compliance in anyone.

Fear and how fear can be framed as a fear appeal is one example of the kind of negative affect that can act as “mechanisms of persuasion” to motivate behaviors in response by victims.

Communication and social influence researchers Robert Gass and John Seiter found that the relationship between fear intensity and persuasion is generally positive and linear, meaning the greater the fear and the greater the perception of someone experiencing that fear the more likely they will be motivated to fulfill the objective or request of a fear appeal. This may be surprising, considering fear may be generally thought of as an avoidant emotion.

There are other considerations in every context, but generally these include someone’s perception of how vulnerable they are and how specific and plausible the directions are. 

Guilt is another example of a motivating emotion that someone can use to influence behavior.  Communication researcher Daniel O’Keefe found that there is an interpersonal character to guilt because the feeling of guilt is generally associated with hurting or anticipating hurting someone we are in a relationship with, which could be the case in an example where a cybercriminal is sextorting a victim and threatening to disclose to his or her significant other something explicit.  Guilt is strongest as a mechanism of persuasion in the context of committed relationships.

O’Keefe also found in his research that the influence of anticipated guilt can also intensely shape behavioral intentions and decisions.  While there are limitations to anticipating what kind of framing of anticipated guilt will influence someone’s behavioral intentions or decisions, he suggested that anticipated guilt could still have the same kind of influence on someone as actual guilt feelings. 

Someone can anticipate feelings of guilt but still not yet experience guilt.  Thinking about risky behavior and potential outcomes or losses heightens that anticipated feeling.

This is an abbreviated introduction to some of these “mechanisms of persuasion”.  This research literature is vast and multi-disciplinary, but rarely is it explored in the context of cyber threats.

Vulnerable to a futurist anticipated shame cybercriminal attack model

Psychologists Charles Abraham and Paschal Sheeran defined anticipated regret as beliefs about whether someone will experience feeling regret after making a choice especially if they will likely find out what the result of the other choice would have been.

Abraham and Sheeran noted that anticipated affective reactions are more important for behaviors with negative rather than positive consequences.  Anticipated regret could encourage people to take risks they would not ordinarily take, because of the fear of inaction and the consequences of not making a choice.

Psychology researcher and PTSD expert John Wilson reviewed the concepts of shame and guilt in the context of people who have experienced psychological trauma and related stress disorders, finding that for many people any traumatic experience of shame and guilt is compounded by affective processes related to depression or substance abuse, for example.

Wilson referred to established work in shame that characterized core states of shame as almost a “preoccupation and near obsessive concern” when there is real or imagined judgment of shame.  Experiences of extreme humiliation or the threat of that anticipated humiliation and shame can lead to a sense of “soul-death” or a sense of being lost.  The dimensions of shame can lead people to fantasize about taking their own life and sometimes actually taking their own life, which may provide some perspective on the American military personnel who took their own lives.

Wilson emphasized that shame is complex because there are multiple compositions of possible “cognitive emotional structures” resembling a range of emotions and mostly negative affect.  These compositions should be considered within contexts of culturally defined roles and values.

All of this means as different as everyone is, everyone is vulnerable to this kind of approach, especially if we consider the realities of cybercrime industries that suggest most cybercriminals have less skills and less infrastructure to attack victims than the public believes.

That potentially means there is a larger population of cybercriminals or rather criminals who lease out the services and infrastructure they need who could plausibly conduct this kind attack approach, because just suggesting this shame to a victim can get you paid.

My article, comments, and opinions are provided in my personal capacity and not as a representative of Walmart.  They do not reflect the views of Walmart and are not endorsed by Walmart.

Request a Demo Today
Request a Demo
Blog