Cybersecurity researchers have exposed a significant malicious campaign targeting TikTok Shop users worldwide, aiming to steal their credentials and distribute tainted applications. This scheme, dubbed ClickTok, employs a dual strategy of phishing and malware to deceive users into believing they are interacting with the authentic TikTok Shop.
The threat actors have crafted fake versions of TikTok Shop, leading victims to think they are engaging with legitimate affiliates or the actual platform. Central to this strategy is the deployment of imitation domains resembling TikTok URLs, with over 15,000 counterfeit websites discovered so far. Most of these domains are found on common top-level domains like .top, .shop, and .icu.
These impersonated websites host phishing pages intended to either extract user credentials or spread deceptive apps embedding a variant of the well-known cross-platform malware called SparkKitty, which can harvest data from both Android and iOS devices. Moreover, many of these phishing sites encourage users to deposit cryptocurrency on fraudulent online storefronts by advertising fake product deals and enticing discounts.
CTM360 reported discovering around 5,000 URLs dedicated to downloading a malware-infested version of the TikTok Shop app. The campaign capitalizes on authentic TikTok Shop activity via fictitious ads, profiles, and AI-generated content that lure users into clicking and spreading the malware.
The malicious app prompts victims to enter their TikTok credentials repeatedly, often failing to log in. This aim is to trick victims into using alternative logins through their Google accounts, potentially compromising their login sessions without traditional email validation. If victims attempt to log into TikTok Shop, they are diverted to a fake login page demanding their credentials again.
Additionally, the SparkKitty malware, which is embedded within the app, utilizes device fingerprinting and optical character recognition (OCR) techniques to scour the user’s photo library for cryptocurrency wallet seed phrases, eventually sending this sensitive data to an attacker-controlled server.
This disclosure coincides with another significant phishing operation called CyberHeist Phish, which employs Google Ads and a multitude of phishing links to mislead victims searching for corporate online banking portals, redirecting them to fraudulent pages crafted to steal their login details.
CTM360 describes this phishing operation as sophisticated, using selective tactics and real-time interactions with targets to gather two-factor authentication data throughout the login processes.
Recent phishing campaigns have also focused on users of Meta Business Suite, an initiative labeled Meta Mirage, where fake policy violation alerts and ad account restrictions are sent via email to harvest user credentials.
In light of these developments, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has issued a warning for financial institutions to remain vigilant against suspicious activities involving convertible virtual currency kiosks, underscoring the ongoing efforts of criminals to exploit emerging technologies for theft.
FinCEN Director Andrea Gacki emphasized the government’s commitment to securing the digital asset ecosystem, enlisting financial institutions as vital partners in this endeavor.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.