“`html
CapCut Phishing Scam: Users Targeted with Fake Invoices and Credit Card theft
Cybercriminals are exploiting the popularity of CapCut, a leading video editing submission, through a sophisticated phishing campaign. Users are being targeted with meticulously crafted fake invoices designed to steal their Apple ID credentials and credit card facts. This two-stage attack leverages the trust users place in the CapCut brand to maximize data extraction while delaying suspicion.
How the CapCut Phishing scheme Works
The phishing scheme begins with a seemingly legitimate email featuring a “Cancel your subscription” button, using CapCut’s official imagery to build trust. Clicking this button redirects the user to a counterfeit apple ID login page hosted on a suspicious domain, “Flashersofts[.]store/Applys/project/index[.]php,” which is not affiliated with Apple [[source]].
Victims are then prompted to enter their credentials, which are exfiltrated in plaintext via an HTTP POST request to the IP address 104[.]21[.]33[.]45,a notable security flaw that exposes the data to interception.
Did You Know? Plaintext transmission of sensitive data is a major security risk,as it allows attackers to easily intercept and steal information.
The Two-Stage Attack Unveiled
The attack then transitions to a second phase, where users are presented with a dialog box requesting credit card details under the guise of processing a refund. This page, sharing the same command-and-control (C2) infrastructure, even includes input validation to reject incomplete card numbers, adding a layer of perceived authenticity.
The final step involves a fake authentication code prompt that never delivers a code, a ruse designed to prevent victims from instantly suspecting fraud and reporting the incident.
Pro Tip: Always double-check the URL of any login page to ensure it is legitimate before entering your credentials.
Indicators of Compromise (IOCs)
Be aware of these indicators to protect yourself:
| Type | Indicator | IP Address(es) |
|---|---|---|
| Email Infection URL | hXXps://yms1[.]ynotmail[.]io/clients/link[.]php?M=703770538&N=3194361&L=453538585&F=H | 99[.]192[.]255[.]26 |
| Payload URL | hXXps://flashersofts[.]store/Applys/project/index[.]php | 172[.]67[.]141[.]41, 104[.]21[.]33[.]43 |
Past CapCut Malware Campaigns
This isn’t the first time CapCut’s popularity has been exploited. Security researchers have previously observed campaigns distributing infostealers and othre malware disguised as CapCut downloads [[2]]. One campaign used fake CapCut sites to deliver the Offx Stealer malware, which extracts passwords, cookies, and data from messaging apps [[3]].
Another instance involved a phishing site masquerading as a CapCut download page to trick users into installing the JamPlus malware [[1]].
Evergreen Insights: Understanding Phishing and Brand Impersonation
Phishing attacks,like the one targeting CapCut users,rely on social engineering to trick individuals into divulging sensitive information. These attacks often exploit trusted brands to create a sense of legitimacy and urgency.According to the FBI’s Internet Crime Complaint Center (IC3), phishing was one of the most prevalent cybercrimes in 2024, causing significant financial losses to individuals and organizations [[IC3 Data]].
Brand impersonation, where attackers mimic the branding of legitimate companies, is a common tactic used in phishing campaigns. By using familiar logos, designs, and language, attackers can increase the likelihood that victims will fall for their scams. Staying informed about these tactics and exercising caution when interacting with unsolicited emails or messages is crucial for protecting yourself from phishing attacks.
Frequently Asked Questions About CapCut Phishing Scams
- What is a CapCut phishing scam?
- A CapCut phishing scam is a deceptive tactic used by cybercriminals to trick users into revealing sensitive information, such as Apple ID credentials and credit card details, by impersonating the CapCut brand.
- How can I identify a fake CapCut email?
- Look for suspicious URLs, grammatical errors, and unsolicited requests for personal information. Always verify the sender’s email address and be wary of emails urging immediate action.
- What should I do if I clicked on a phishing link?
- Immediately change your passwords for all affected accounts, contact your bank or credit card company to report any suspicious activity, and run a full scan of your device with a reputable antivirus program.
- Is CapCut responsible for these phishing attacks?
- No, CapCut is not responsible for these attacks. Cybercriminals are exploiting the brand’s popularity to deceive users. CapCut is likely taking steps to address the issue and protect its users.
-
