As CapCut continues to grow in popularity as a short-form video editing app, cybercriminals are exploiting its name to carry out sophisticated phishing scams. Recently, the Cofense, a security software solutions company, identified a campaign wher attackers send convincing fake invoices that appear to be from CapCut to steal login and payment information.
Cybersecurity researchers within Cofense’s Phishing Defense Center found attemps aimed at stealing Apple ID credentials and credit card information. The attack begins with an email that includes a button labeled “Cancel your subscription.” When clicked or pressed, this button redirects the user to a fake website mimicking Apple’s login page. Despite its appearance, the site is hosted on a malicious domain unrelated to Apple.
Once on the fake page, users are prompted to enter their Apple ID credentials. The page uses official-looking branding to create a sense of trust, encouraging users to provide their login details. But when credentials are entered, they are sent (via an HTTP POST request) to an attacker-controlled server, where they are captured in plaintext.
After the first step, the webpage refreshes and presents a second prompt, this time asking for credit card information. The attackers claim they are processing a refund to entice users to provide their card details. And like the first page, this form is hosted on the same malicious server and exfiltrates data through similar POST requests.
The attackers may use dummy card generators to simulate real credit card data, which they then capture in plaintext. To make the scam seem more convincing, a fake verification step is included, prompting users to send an authentication code that is never actually sent. This step helps prolong the scam and reduces suspicion.
This attack flow demonstrates how cybercriminals manipulate trust through familiar branding and urgent language. To protect yourself:
- Always scrutinize URLs to ensure they are legitimate and belong to official domains. Review the full sender name as well as email address. You’ll want to look at the ending domain (such as client.support.officialdomain.com). If in doubt, reach out to the company directly by phone or email. If you have never heard of them, It’s probably best to avoid further communications that could
- Be cautious of unexpected prompts asking for personal or financial information, especially if showcasing a reward or urgent message.
- Avoid clicking on suspicious links. Hover or long press the link to see its official domain. Some companies use email newsletter services which may provide a different domain, but if in doubt reach the company directly. If you have an account/services with them, navigate directly through official apps or websites.
- Report suspicious emails or messages to your IT department within your office, in your email client (by reporting as Spam/Phishing), or forwarding them directly to the brand they are attempting to mimick.
Hackers and cybercriminals continue to come up with new tactics that leverage trusted brands and create a sense of urgency to the receiving end. Staying vigilant, verifying the authenticity of links, and questioning unexpected prompts are key defenses for all users.
Check out Cofense’s full analysis and findings on their security report.
Leave a Reply