AI-Powered Scam Campaign Targets TikTok Shop Users with Fake Domains and Malware

Scammers Use AI to Mimic TikTok Shop Sellers to Steal Cash, Distribute Malware

(Credit: KIRAN RIDLEYKIRAN RIDLEY / Contributor / AFP via Getty Images) Scammers are capitalizing on the popularity and name recognition of the TikTok Shop to pull off a "widespread, ongoing, malicious campaign" intended to steal crypto and your personal data. Threat actors are creating replicas of TikTok Shop profiles, complete with AI-generated videos, to trick users into thinking they are interacting with a legitimate seller, says cybersecurity firm CTM360. They also circulate fake ads on Facebook and TikTok that promise big discounts on products, but those ads redirect people to bogus versions of TikTok Wholesale and TikTok Mall. CTM360 found 10,000+ phony phishing URLs that "are used to lure users into depositing cryptocurrency on fraudulent storefronts, leveraging fake product listings and urgency tactics." Another tactic sees scammers masquerading as a TikTok Shop affiliate management platform. People are encouraged to download an app that's actually designed to hijack accounts, steal sensitive information, and potentially enable persistent device compromise. "The threat actors distribute malicious App files through embedded download links and QR codes, with 5,000+ distinct App download sites detected thus far," CTM360 says. The effort hinges on the ability to "exploit user trust in TikTok Shop's brand." If scammers can convince someone to download an app or log into a fake page, they can then distribute malware. In this case, it's SparkKitty, which is capable of harvesting data from both Android and iOS devices, HackerNews reports. Victims are asked to pay in cryptocurrency or deposit money into a fake on-site wallet, with promises of "future commission payouts or withdrawal bonuses that never materialize." They also impersonate TikTok Shop login pages to steal user credentials to later hijack their accounts. "The core motive is fraudulent financial gain, exploiting the trust in online shopping, affiliate earnings, and the irreversibility of certain payment methods," says CTM360. The report is a reminder to be wary of deals that seem too good to be true. Double-check URLs for anything that seems off; the scam sites are using free or low-cost top-level domains such as .top, .shop, and .icu. The official TikTok Shop and affiliate program are housed via tiktok.com and have strict guidelines; they're probably not going to be proactively reaching out and asking you to deposit money into a crypto wallet. Be careful with ads, too. Last month, a fake Starlink deal circulated on Facebook, baiting people into buying a cheap satellite dish to trick people into entering credit card information.

15,000 Fake TikTok Shop Domains Deliver Malware, Steal Crypto via AI-Driven Scam Campaign

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that's targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps. "Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users," CTM360 said. "The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform." The scam campaign has been codenamed ClickTok by the Bahrain-based cybersecurity company, calling out the threat actor's multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors. Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified to date. The vast majority of these domains are hosted on top-level domains such as .top, .shop, and .icu. These domains are designed to host phishing landing pages that either steal user credentials or distribute bogus apps that deploy a variant of a known cross-platform malware called SparkKitty that's capable of harvesting data from both Android and iOS devices. What's more, a chunk of these phishing pages lure users into depositing cryptocurrency on fraudulent storefronts by advertising fake product listings and heavy discounts. CTM360 said it identified no less than 5,000 URLs that are set up with an intent to download the malware-laced app by advertising it as TikTok Shop. "The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging to distribute malware," the company noted. "Fake ads are widely circulated on Facebook and TikTok, featuring AI-generated videos that mimic real promotions to attract users with heavily discounted offers." The fraudulent scheme operates with three motives in mind, although the end goal is financial gain, regardless of the illicit monetization strategy employed: * Deceiving buyers and affiliate program sellers (creators who promote products in exchange for a commission on sales generated through the affiliate links) with bogus and discounted products and asking them to make payments in cryptocurrency * Convincing affiliate participants to "top up" fake on-site wallets with cryptocurrency, under the promise of future commission payouts or withdrawal bonuses that never materialize * Using fake TikTok Shop login pages to steal user credentials or instruct them to download trojanized TikTok apps The malicious app, once installed, prompts the victim to enter their credentials using their email-based account, only for it to repeatedly fail in a deliberate attempt on the part of the threat actors to present them with an alternative login using their Google account. This approach is likely meant to bypass traditional authentication flows and weaponize the session token created using the OAuth-based method for unauthorized access without requiring in-app email validation. Should the logged-in victim attempt to access the TikTok Shop section, they are directed to a fake login page that asks for their credentials. Also embedded within the app is SparkKitty, a malware that's capable of device fingerprinting and using optical character recognition (OCR) techniques to analyze screenshots in a user's photo gallery for cryptocurrency wallet seed phrases, and exfiltrating them to an attacker-controlled server. The disclosure comes as the company also detailed another targeting phishing campaign dubbed CyberHeist Phish that's using Google Ads and thousands of phishing links to dupe victims searching for corporate online banking sites to be redirected to seemingly benign pages that mimic the targeted banking login portal and are crafted to steal their credentials. "This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors' real-time interaction with the target to collect two-factor authentication on each stage of login, beneficiary creation and fund transfer," CTM360 said. In recent months, phishing campaigns have also targeted Meta Business Suite users as part of a campaign called Meta Mirage that uses fake policy violation email alerts, ad account restriction notices, and deceptive verification requests distributed via email and direct messages to lead victims to credential and cookie harvesting pages are hosted on Vercel, GitHub Pages, Netlify, and Firebase. "This campaign focuses on compromising high-value business assets, including ad accounts, verified brand pages, and administrator-level access within the platform," the company added. These developments coincide with an advisory from the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), urging financial institutions to be vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks in a bid to combat fraud and other illicit activities. "Criminals are relentless in their efforts to steal money from victims, and they've learned to exploit innovative technologies like CVC kiosks," said FinCEN Director Andrea Gacki. "The United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort."

Hackers are using fake TikTok Shops to steal money and spread malware -- don't fall for this

Fake shops even include AI-generated videos to trick shoppers into clicking on dangerous links Be wary of deals on TikTok Shops that seem too good to be true - they may be malware in disguise. As reported by PCMag, there's currently a campaign making the rounds online where scammers use AI to imitate TikTok sellers and stores in order to trick users into clicking on malicious links or to convince users to send them cryptocurrency. Cybersecurity firm CTM360 issued a report that uncovered a widespread campaign where threat actors have been capitalizing on the trust that users have in the TikTok brand so that they can hijack accounts, steal money or personal data or distribute malware. The threat actors are creating convincing replicas of TikTok Shop profiles, even including AI-generated videos, which makes users believe that they've landed on a legitimate page. The campaign is also circulating ads on Facebook and TikTok in which they promise unusually large discounts on products in order to tempt victims as well as to redirect targets to fake versions of both TikTok Wholesale and TikTok Mall. CTM360 has found over 10,000 such fake URLs created to lure shoppers into giving up their login credentials, or to deposit cryptocurrency into fraudulent storefronts. These threat actors have also leveraged the TikTok Shop affiliate management platform by creating a malicious app designed to take over accounts, steal personal information and even enable persistent device compromise. These bad apps are being distributed through embedded download links and QR codes; CTM360 says they have found more than 5,000 such download sites so far. According to The HackerNews, the malware that is being distributed through the malicious apps is SparkKitty which can harvest data from either Android or iOS devices. Victims of the fake affiliate program will be asked to pay in cryptocurrency or to deposit money into a fake on-site wallet and given promises that they will receive future commission payouts or bonuses which, of course, are never paid out. When shopping online, it's good to follow a few hard and fast rules and the first one is always: If it seems to good to be true, it almost certainly is. Be wary of any deals that use pressure or urgency in their tactics, making you feel like you need to act fast or putting an expiration date on a deal. Likewise, be suspicious of any site that doesn't take traditional payment methods and instead request payments in gifts cards, cryptocurrency wallets, iffy websites or links, or want a bank account number or other banking information. Double and triple check URLs to websites to see where they lead; scam sites will often use low cost domains. In the case of this campaign, many of the sites are using domains that end in .top, .shop or .icu. Keep in mind that official shops and affiliate programs are unlikely to reach out to you proactively to ask you to deposit money. And be careful with advertisements, as fake deals are incredibly easy to circulate around social media and we've seen all sorts of malicious ads used in a number of campaigns in recent years. Finally, you want to make sure you have one of the best antivirus programs installed on your computer. Not only can they keep you safe from malware and viruses but many of them include features that will help protect you while browsing and shopping online like a hardened browser, or alerts that show up when you navigate to sites that have been reported as malicious, a firewall, or VPN.