The campaign
Cybersecurity researchers have unveiled a widespread malicious campaign that targets TikTok Shop users globally, aiming to steal credentials and distribute trojanized apps.
“Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users,” CTM360 said. “The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking they’re interacting with a legitimate affiliate or the real platform.”
ClickTok and SparkKitty
The scam campaign, codenamed ClickTok by the Bahrain-based cybersecurity company, highlights the threat actor’s multi-pronged distribution strategy. This strategy involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors.
Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. To date, researchers have identified over 15,000 such impersonated websites. The vast majority of these domains host on top-level domains such as .top, .shop, and .icu.
These domains serve to host phishing landing pages that either steal user credentials or distribute bogus apps. These apps deploy a variant of a known cross-platform malware called SparkKitty, which can harvest data from both Android and iOS devices.
Furthermore, a portion of these phishing pages lures users into depositing cryptocurrency on fraudulent storefronts by advertising fake product listings and heavy discounts. CTM360 identified no less than 5,000 URLs set up to download the malware-laced app by advertising it as TikTok Shop.
Spreading with AI
The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, and it tricks users into engaging to distribute malware, the company noted. Moreover, “Fake ads are widely circulated on Facebook and TikTok, featuring AI-generated videos that mimic real promotions to attract users with heavily discounted offers.”
The fraudulent scheme operates with three motives in mind, and its ultimate goal is financial gain, regardless of the illicit monetization strategy pursued:
- Deceiving buyers and affiliate program sellers (creators who promote products in exchange for a commission on sales generated through the affiliate links) with bogus and discounted products, while pressuring them to make payments in cryptocurrency.
- Convincing affiliate participants to “top up” fake on-site wallets with cryptocurrency, under the promise of future commission payouts or withdrawal bonuses that never materialize.
- Using fake TikTok Shop login pages to steal user credentials or instruct them to download trojanized TikTok apps.
After victims install the malicious app, it immediately prompts them to enter their Credentials using their email-based account. The login process deliberately fails repeatedly because the threat actors want to present an alternative login option through the victim’s Google account.
This tactic allows attackers to bypass traditional Authentication flows and Weaponize the session token created through the OAuth-based method, granting unauthorized access without requiring in-app email validation. Consequently, whenever victims attempt to access the TikTok Shop section, the app redirects them to a fake login page that again requests their credentials.
The app also embeds SparkKitty, a powerful malware that fingerprints devices and uses optical character recognition (OCR) to scan screenshots in the user’s photo gallery. It specifically looks for Cryptocurrency wallet seed phrases and then Exfiltrates this sensitive data to an Attacker-controlled server.
More Phishing
Meanwhile, the company also revealed another phishing campaign called CyberHeist Phish. This campaign uses Google Ads and thousands of Phishing links to deceive victims searching for corporate online banking sites. It redirects them to pages that appear legitimate but actually mimic targeted banking login portals and steal credentials.
“This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication on each stage of login, beneficiary creation and fund transfer,” CTM360 said.
In addition, recent months have seen phishing campaigns targeting Meta Business Suite users in a campaign known as Meta Mirage. Attackers send fake policy violation alerts, ad account restriction notices, and Deceptive Verification requests via email and direct messages. These tactics lead victims to Credential and Cookie Harvesting pages hosted on Vercel, GitHub Pages, Netlify, and Firebase.
“This campaign focuses on compromising high-value business assets, including ad accounts, verified brand pages, and administrator-level access within the platform,” the company added.
These developments also align with an advisory from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). The agency urges financial institutions to remain vigilant in detecting and reporting suspicious activity Involving Convertible virtual currency (CVC) kiosks to combat fraud and other illicit operations.
“Criminals are relentless in their efforts to steal money from victims, and they’ve learned to exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki. “The United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort.”
Source: TheHackerNews
Read more at Impreza News
