Popular TikTok video editor CapCut used to trick victims in phishing scam

News
By published

No, you didn't just pay for the premium subscription

Sign in with Apple Button for your privacy. Man holds a smartphone and authorizes the Internet service
(Image credit: Konstantin Savusia via Shutterstock)
  • Phishing emails "notify" victims of an active $50 subscription
  • Victims can "cancel" the subscription, by clicking on a link in the email body
  • The link leads to a fake login page where Apple ID credentials are harvested

Cybercriminals are impersonating a popular video editing app to steal people’s Apple ID logins, security researchers are warning.

Earlier this week, the security outfit Cofense warned about spotting a new phishing campaign. In it, the attackers would spoof CapCut, a video and graphic editing app developed by ByteDance, the company behind TikTok.

CapCut is immensely popular, boasting hundreds of millions active users. It offers both a free tier, and a paid tier, which is what the attackers are now abusing.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

Stealing credentials

The spoofed email imitates CapCut’s branding to boost legitimacy, and “notifies” the victim that they just subscribed to the paid version, costing $50.

Further in the email, the victim is offered to “cancel subscription” if it was made by mistake.

With many mobile apps charging for their services by default, it’s not completely irrational to trust the email, and rush to cancel the subscription.

However, clicking on the link redirects the victim to a fake Apple login page, where they are asked to provide their Apple ID credentials.

These credentials are then relayed to the attackers, which they can use to access people’s images, messages, and other sensitive data. They can also use it to make purchases, causing direct financial harm, as well.

The best way to defend against these attacks, Cofense says, is to be skeptical of all incoming emails, especially those that require people to urgently do something:

“This phishing campaign highlights how easily trust can be manipulated through familiar branding and urgency. By imitating CapCut’s/Apple’s identity and dangling the threat of unwanted charges, attackers guide victims through a seamless two-stage credential theft process,” the researchers explain.

“The use of a fake verification step at the end is a subtle yet strategic move to delay suspicion and extend the attack window. As always, skepticism is a critical defense—check URLs carefully, question unexpected prompts for sensitive information, and report suspicious messages.”

Via Cybernews

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.