How Cybercriminals Are Exploiting CapCut’s Popularity to Steal Apple IDs and Credit Card Info

As CapCut continues to surge in popularity as the go-to short-form video editing tool, cybercriminals are now weaponizing its brand power in a new wave of phishing attacks.

Security researchers at the Cofense PDC team have uncovered a complex, multi-stage campaign that leverages convincing fake “CapCut invoice” emails.

These emails are designed to harvest Apple ID credentials and credit card information from unsuspecting users.

The phishing bait takes the form of a deceptive email that mimics CapCut’s official branding, complete with professional layouts and urgent calls to action.

Inside the email, users are prompted to click a “Cancel your subscription” button. This action triggers a chain of events engineered to extract sensitive data in a remarkably orchestrated manner.

Technical Analysis: From Credential Theft to Card Details

Once the user clicks the deceptive link, they are redirected to a fraudulent web page that perfectly mimics the Apple ID login portal.

The URL, such as “Flashersofts[.]store/Applys/project/index[.]php,” appears unrelated to legitimate Apple domains but is convincingly branded to resemble official Apple services.

Here, users are prompted to enter their Apple ID credentials, which are then intercepted via an HTTP POST request to the attacker’s command-and-control (C2) server at 104[.]21[.]33[.]45.

The credentials are transmitted in plaintext, making them easily accessible to threat actors.

The attack doesn’t stop there. After the Apple credentials are compromised, the phishing page refreshes, exposing a second scam designed to capture credit card information ostensibly for processing a refund.

The same C2 server receives this data, also in plaintext, directly from the user’s browser. Notably, the fake input box only accepts credit card numbers meeting a certain digit length, providing an illusion of input validation that further dupes the victim.

To cover their tracks and delay suspicion, the phishing page includes a fake authentication code prompt. Users can repeatedly request a new code, but none is ever sent.

This clever psychological tactic is designed to keep victims preoccupied and less likely to report the incident, leading them to believe a technical error has occurred rather than a theft of their credentials and card information.

Staying Safe: Vigilance and Cyber Hygiene

This campaign demonstrates just how effectively cybercriminals exploit popular brands and users’ trust in familiar interfaces.

By harnessing CapCut’s brand recognition and combining it with the urgency of unwanted charges, attackers have crafted a multi-layered attack that is both technically sophisticated and psychologically manipulative.

To protect themselves, users should constantly scrutinize URLs, especially in emails that promise refunds or request sensitive information.

They should also question any unsolicited prompts for login or payment details and report suspicious activity immediately.

As cyber threats evolve, staying vigilant and adopting robust security practices remain the most effective defense against social engineering attacks.

The Cofense PDC team continues to monitor these tactics and will alert users as new phishing techniques emerge, aiming to keep the digital landscape safer for everyone. Stay informed, stay cautious, and remember: in the digital age, skepticism is your shield.