Cyber-criminals have launched a new sextortion scam aimed at people who use the video-conferencing app Zoom while in a state of undress.
The scam, detected by Bitdefender Antispam Lab, appears to have originated on October 20, just after high-profile reporter and TV analyst Jeffrey Toobin was caught masturbating during a Zoom video chat with members of the New Yorker and WNYC radio.
Bitdefender reported that a quarter of a million people, mostly in the United States, received an email informing them that they have been filmed engaging in a sexual act while using Zoom. Victims were then threatened with exposure of the footage if they didn't pay a ransom.
The email, titled "Regarding Zoom Conference call," claims that the attacker exploited a zero-day vulnerability to access the victim's private data.
"You have used Zoom recently, like most of us during these bad COVID times. And I have very unfortunate news for you," reads the email.
"There was a zero-day security vulnerability on Zoom app that allowed me a full time access to your camera and some other metadata on your account."
The attacker then claims that while making recordings "just for fun," they "have made a recording, where you work on yourself."
Bitdefender's Alina Bizga noted: "The extortionist has clearly done his homework. Multiple zero-day vulnerabilities have been reported this year, including some that even allow a full takeover of devices."
After claiming to be in possession of compromising images of their victim, the attacker then presents themself as a victim of the impact of COVID-19.
"I got very sick, lost my job, about to be evicted and have no money to survive. All of this because of the stupid virus," writes the attacker.
"I'm sorry. I have no other choice."
The scammer then demands a $2,000 ransom in Bitcoin to be paid within three days if the victim doesn't want the footage to be made public.
"I do not want you to be the next Jeffrey Toobin," writes the attacker. "I'm sure you don't want to be embarrassed."