Cybersecurity researchers have lifted the veil on a widespread malicious campaign that’s targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps.
“Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users,” CTM360 said. “The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform.”
The scam campaign has been codenamed ClickTok by the Bahrain-based cybersecurity company, calling out the threat actor’s multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors.
Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified to date. The vast majority of these domains are hosted on top-level domains such as .top, .shop, and .icu.
These domains are designed to host phishing landing pages that either steal user credentials or distribute bogus apps that deploy a variant of a known cross-platform malware called SparkKitty that’s capable of harvesting data from both Android and iOS devices.
What’s more, a chunk of these phishing pages lure users into depositing cryptocurrency on fraudulent storefronts by advertising fake product listings and heavy discounts. CTM360 said it identified no less than 5,000 URLs that are set up with an intent to download the malware-laced app by advertising it as TikTok Shop.
“The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging to distribute malware,” the company noted. “Fake ads are widely circulated on Facebook and TikTok, featuring AI-generated videos that mimic real promotions to attract users with heavily discounted offers.”
The fraudulent scheme operates with three motives in mind, although the end goal is financial gain, regardless of the illicit monetization strategy employed:
- Deceiving buyers and affiliate program sellers (creators who promote products in exchange for a commission on sales generated through the affiliate links) with bogus and discounted products and asking them to make payments in cryptocurrency
- Convincing affiliate participants to “top up” fake on-site wallets with cryptocurrency, under the promise of future commission payouts or withdrawal bonuses that never materialize
- Using fake TikTok Shop login pages to steal user credentials or instruct them to download trojanized TikTok apps
The malicious app, once installed, prompts the victim to enter their credentials using their email-based account, only for it to repeatedly fail in a deliberate attempt on the part of the threat actors to present them with an alternative login using their Google account.
This approach is likely meant to bypass traditional authentication flows and weaponize the session token created using the OAuth-based method for unauthorized access without requiring in-app email validation. Should the logged-in victim attempt to access the TikTok Shop section, they are directed to a fake login page that asks for their credentials.
Also embedded within the app is SparkKitty, a malware that’s capable of device fingerprinting and using optical character recognition (OCR) techniques to analyze screenshots in a user’s photo gallery for cryptocurrency wallet seed phrases, and exfiltrating them to an attacker-controlled server.
The disclosure comes as the company also detailed another targeting phishing campaign dubbed CyberHeist Phish that’s using Google Ads and thousands of phishing links to dupe victims searching for corporate online banking sites to be redirected to seemingly benign pages that mimic the targeted banking login portal and are crafted to steal their credentials.
“This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication on each stage of login, beneficiary creation and fund transfer,” CTM360 said.
In recent months, phishing campaigns have also targeted Meta Business Suite users as part of a campaign called Meta Mirage that uses fake policy violation email alerts, ad account restriction notices, and deceptive verification requests distributed via email and direct messages to lead victims to credential and cookie harvesting pages are hosted on Vercel, GitHub Pages, Netlify, and Firebase.
“This campaign focuses on compromising high-value business assets, including ad accounts, verified brand pages, and administrator-level access within the platform,” the company added.
These developments coincide with an advisory from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), urging financial institutions to be vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks in a bid to combat fraud and other illicit activities.
“Criminals are relentless in their efforts to steal money from victims, and they’ve learned to exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki. “The United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort.”
