A new phishing scam uses popular video editor CapCut to attempt to steal Apple IDs and credit card information. Using fake invoices that try to trick users into thinking they’re about to be enrolled in a CapCut subscription for $50 per month, hackers are stealing login credentials and payment details.
As reported by Cybernews, CapCut, a short-form video editing platform frequently used in social media videos, most notably on TikTok, is a desirable target for cybercriminals precisely because of its large user base, some of whom may not be savvy enough to avoid phishing scams.
This latest scam was discovered by cybersecurity company Cofense, which realized that threat actors have been sending out fake invoices supposedly from CapCut that mimic the company’s official branding.
A victim receives an email that appears to be a “subscription confirmation,” which looks as though it confirms their $50/month subscription to the service. When the user clicks the “cancel subscription” button embedded in the email, they are redirected to a fake Apple ID log-in page where they can enter their Apple credentials and payment information to “request refund.”
The fake pages are purposefully designed not to arouse suspicion, so they closely resemble official pages by using familiar branding and logos. This, combined with the sense of urgency, uses classic phishing techniques to manipulate a victim into clicking through to provide their personal information.
Cofense has said that the attackers are guiding victims through a “seamless two-stage credential theft process. The use of a fake verification step at the end is a subtle yet strategic move to delay suspicion and extend the attack window.”
How to stay safe
As Cofense points out, if you receive an email like this, you should likely report it as it absolutely qualifies as a suspicious message. But always question any unexpected requests for sensitive personal information, and carefully check URLs and embedded links in emails.
The best way to avoid getting phished is to make sure you’re only giving away personal information to legitimate websites and companies. Never click on an unexpected link or attachment – if you know the sender, contact them directly to confirm what they sent and why before clicking through.
If a company contacts you about an urgent matter regarding your account, don’t click anything in an email, text or message. Instead, go directly to their website in the browser’s address bar and type in their web address manually and enter your login details yourself. Be wary of anything that contains a sense of urgency or pressure.
Maintain best practices with your online accounts: Never reuse passwords, and remember you can always use a password manager to help keep your passwords secure. Use two-factor authentication when possible. Keep one of the best antivirus software programs current, updated and running on all your devices – both your PC and even your mobile device. We have recommendations for the best Android antivirus apps if you don’t already have one installed. And for added protection, make sure your antivirus program has a VPN, or offers a hardened browser for an added layer of security.