Cybercriminals Exploit CapCut Popularity to Steal Apple ID Credentials and Credit Card Data

Threat actors have capitalized on the immense popularity of CapCut, the leading short-form video editing app, to orchestrate a highly deceptive phishing campaign.

According to the Cofense Phishing Defense Center (PDC), attackers are deploying meticulously crafted fake invoices that impersonate CapCut’s branding to lure users into surrendering their Apple ID credentials and credit card information.

This double-barreled attack not only exploits the trust users place in familiar branding but also employs sophisticated tactics to maximize the extraction of sensitive data while delaying suspicion.

Sophisticated Phishing Campaign

The campaign serves as a stark reminder of the evolving nature of social engineering threats and the critical need for vigilance in the digital space.

The phishing scheme begins with a seemingly legitimate email featuring a “Cancel your subscription” button, designed to instill urgency and trust through CapCut’s official imagery.

Once clicked, the user is redirected to a counterfeit Apple ID login page hosted at a suspicious domain, “Flashersofts[.]store/Applys/project/index[.]php,” which bears no connection to Apple’s legitimate services.

Here, victims are prompted to input their credentials, which are then exfiltrated via an HTTP POST request to the IP address 104[.]21[.]33[.]45 in plaintext a glaring security flaw that exposes the data to interception.

Two-Stage Attack Chain Unveiled

Following this, the attack transitions into its second phase, where users are presented with a dialog box requesting credit card details under the guise of processing a refund.

This page, sharing the same command-and-control (C2) infrastructure, even includes input validation to reject incomplete card numbers, adding a layer of perceived authenticity.

The final step introduces a fake authentication code prompt that never delivers a code, a clever ruse to prevent victims from immediately suspecting fraud and reporting the incident.

This multi-stage design not only harvests dual sets of sensitive information but also manipulates user behavior to extend the attack window, showcasing the attackers’ strategic depth.

The Cofense PDC team’s analysis revealed the use of dummy credentials and card data during testing, confirming the plaintext transmission of stolen information a critical vulnerability in the attack chain.

The campaign’s reliance on familiar branding, urgency tactics, and subtle misdirection highlights how easily trust can be weaponized in phishing schemes.

Users are urged to exercise skepticism by scrutinizing URLs, questioning unsolicited requests for personal information, and promptly reporting suspicious communications.

As cybercriminals continue to refine their methods, staying informed about such threats remains paramount.

The Cofense PDC pledges to monitor and expose these tactics, emphasizing the importance of user awareness in combating social engineering attacks.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates