As CapCut continues its dominance in the short-form video editing arena, cybercriminals are capitalizing on its widespread use with increasingly sophisticated phishing campaigns.
The Cofense Phishing Defense Center (PDC) recently uncovered a campaign where attackers craft convincing fake CapCut invoices, targeting unsuspecting users to steal their Apple ID credentials and credit card information.
By mimicking CapCut’s branding and leveraging the authority of Apple’s ecosystem, these phishing attempts are effective at deceiving even cautious users.
Two-Stage Credential Harvesting Scheme Unveiled
The attack begins with a phishing email containing a purported CapCut invoice, which tricks recipients into believing they are being billed for a subscription.
The email includes a “Cancel your subscription” button, which when clicked, redirects the user to a meticulously crafted phishing site.
This site masquerades as an official Apple ID login page hosted at “Flashersofts[.]store/Applys/project/index[.]php” a domain wholly unrelated to Apple.
Upon arrival, users are prompted to enter their Apple ID credentials, lured by official graphics and branding elements.
Once credentials are entered, they are exfiltrated via an HTTP POST request to an attacker-controlled server at IP address 104[.]21[.]33[.]45.
Monitoring by Cofense reveals that these details are transmitted in plaintext, making them instantly available for malicious use.
The campaign does not end at credential theft. After submitting Apple ID information, victims are presented with a second phishing page that requests their credit card details under the pretense of facilitating a refund.
This phase uses the same infrastructure as the initial credential theft, even implementing basic input validation to ensure that only plausible credit card numbers are accepted.
Entered financial details are then transmitted to the attackers’ server in the same insecure manner.
Tactics to Delay Detection
To maintain the illusion and avoid immediate suspicion, the attackers employ a clever ruse: after acquiring sensitive information, the victim is confronted with a fake authentication code prompt.
Regardless of how many times the user requests a code, no message is ever sent. This step subtly shifts the blame for any issues onto supposed technical problems, reducing the likelihood that the victim will promptly report the incident.
This multi-stage phishing attack underscores the danger of social engineering tactics that fuse branding manipulation with psychological pressure.
By using urgent language around unexpected subscription charges and refund offers, attackers increase the likelihood that users will bypass their usual caution.
The professional appearance of the fraudulent websites further blurs the line between legitimate and malicious interactions.
Experts urge users to remain vigilant: always verify URLs, be skeptical of unsolicited prompts for sensitive information, and never enter credentials on unfamiliar websites.
As attackers refine their techniques, user education and awareness remain pillars of effective defense.
The Cofense PDC continues to monitor and report on these evolving threats, advocating for quick reporting and thorough scrutiny of suspicious communications.
Indicators of Compromise (IOC)
| Stage | Type | Indicator |
|---|---|---|
| Stage 1 | Email Infection | hXXps://yms1[.]ynotmail[.]io/clients/link[.]php?M=703770538&N=3194361&L=453538585&F=H |
| IP | 99[.]192[.]255[.]26 | |
| Stage 2 | Payload URL | hXXps://flashersofts[.]store/Applys/project/index[.]php |
| IP | 172[.]67[.]141[.]41 | |
| IP | 104[.]21[.]33[.]43 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
