Cybercriminals are getting creative during the Covid-19 social-distancing measures, taking advantage of popular video-conference tools such as Zoom to strengthen their pitch in a fresh sextortion scam.
Bitdefender Antispam Lab spotted a new cyber-extortion campaign that has seemingly spread across the globe over the past week. The campaign targeted a quarter-million recipients, mostly in the United States, starting October 20.
The subject line ostensibly reads “Regarding Zoom Conference call,” to make sure you do not disregard the message.
“You have used Zoom recently, like most of us during these bad COVID times,” the scammers said. “And I have very unfortunate news for you.”
Indeed, many remote workers, students, teachers and families have used Zoom during the past year to connect, work or do business, creating a large pool of potential victims for the hoax.
“There was a zero day security vulnerability on Zoom app, that allowed me a full time access to your camera and some other metadata on your account,” the message continues. “I found a few interesting targets through random lookups. You were just unlucky to be on the list.”
The extortionist has clearly done his homework. Multiple zero-day vulnerabilities have been reported this year, including some that even allow a full takeover of devices. Moreover, the company which announced over “300 million daily Zoom meeting participants,” has been in the spotlight for quite some time, making headlines with topics ranging from Zoom-bombing in online classrooms to phishing campaigns to steal login credentials from users.
Moving forward, the extortionist reveals his actions, hinting at the keynote of the entire message.
“After that, I did some creepy stuff and a few recordings, just for fun and to test a few things,” the scammer adds. “And as you can imagine in your worst dreams, this happened. I have made a recording, where you work on yourself.”
There is nothing unique in this extortionist’s methodology, except for his need to make up excuses for his deeds by blaming the “stupid virus.” He even apologizes and attempts to exploit your empathetic side by claiming he lost his job and is about to be evicted.
“Please dont blame me or yourself for this, I didn’t have any bad intentions,” he said. “I got very sick, lost my job, about to be evicted and have no money to survive. All of this because of the stupid virus. I’m sorry. I have no other choice.”
This extortionist gests additional creativity points by also mentioning the Jeffrey Toobin Zoom scandal, in which the top legal analyst from CNN unknowingly exposed himself in front of co-workers during a Zoom conference.
“I do not want you to be the next Jeffrey Toobin,” he adds. “I’m sure you don’t want to be embarrassed. And I dont want to make this video public so your friends and colleagues can see it.”
The deal is you have three days to pay $2,000 in bitcoin unless you want the “video” revealed to your close family and workplace. He says the amount is non-negotiable and promises to delete the sensitive file once payment is received in his bitcoin wallet.
You are advised not to contact police or reply to the message. “If you do something stupid, I will distribute the video,” he threatens.
Individuals are likely to respond to blackmail messages that threaten to expose sensitive information about them publicly, be they true or not. As such, cyber-extortion has gained more and more traction in recent years, harnessing millions of dollars from victims’ pockets.
However, it’s important not to panic as there is little chance the blackmailer could have spied or recorded you in reality. Cyber-extortionists usually send out threats at random, using large batches of email addresses from data breaches and leaks in the hopes of duping users.
If you are one of the unfortunate recipients, immediately delete the email, and report the extortion attempt to local authorities and email service providers.