- Phishing emails “notify” victims of an active $50 subscription
- Victims can “cancel” the subscription, by clicking on a link in the email body
- The link leads to a fake login page where Apple ID credentials are harvested
Cybercriminals are impersonating a popular video editing app to steal people’s Apple ID logins, security researchers are warning.
Earlier this week, the security outfit Cofense warned about spotting a new phishing campaign. In it, the attackers would spoof CapCut, a video and graphic editing app developed by ByteDance, the company behind TikTok.
CapCut is immensely popular, boasting hundreds of millions active users. It offers both a free tier, and a paid tier, which is what the attackers are now abusing.
Stealing credentials
The spoofed email imitates CapCut’s branding to boost legitimacy, and “notifies” the victim that they just subscribed to the paid version, costing $50.
Further in the email, the victim is offered to “cancel subscription” if it was made by mistake.
With many mobile apps charging for their services by default, it’s not completely irrational to trust the email, and rush to cancel the subscription.
However, clicking on the link redirects the victim to a fake Apple login page, where they are asked to provide their Apple ID credentials.
These credentials are then relayed to the attackers, which they can use to access people’s images, messages, and other sensitive data. They can also use it to make purchases, causing direct financial harm, as well.
The best way to defend against these attacks, Cofense says, is to be skeptical of all incoming emails, especially those that require people to urgently do something:
“This phishing campaign highlights how easily trust can be manipulated through familiar branding and urgency. By imitating CapCut’s/Apple’s identity and dangling the threat of unwanted charges, attackers guide victims through a seamless two-stage credential theft process,” the researchers explain.
“The use of a fake verification step at the end is a subtle yet strategic move to delay suspicion and extend the attack window. As always, skepticism is a critical defense—check URLs carefully, question unexpected prompts for sensitive information, and report suspicious messages.”
Via Cybernews
