Cyber Blog

Cybersecurity researchers have uncovered a widespread scam targeting TikTok Shop users worldwide. The campaign, which aims to steal personal credentials and distribute malicious apps, is using a combination of phishing and malware attacks.

The campaign, named FraudOnTok, was detailed by CTM360, a cybersecurity company based in Bahrain. The attack targets users by creating fake versions of TikTok Shop to trick them into thinking they are interacting with a legitimate platform. These fake websites use AI-generated TikTok videos and even fake ads to mimic popular influencers or brand ambassadors.

Fake Websites and Phishing Pages

At the heart of the scam is a large network of fake websites that look similar to legitimate TikTok URLs. More than 15,000 of these fake domains have been identified so far. Many of these fake sites use .top, .shop, and .icu extensions to trick users.

These websites are used to either:

• Steal login credentials via fake TikTok login pages.
• Distribute harmful apps that install a version of malware called SparkKitty. This malware can steal data from both Android and iOS devices.

The scam also tricks users into depositing cryptocurrency into fraudulent accounts by advertising fake product listings and huge discounts.

How the Scam Works

The scam operates through three main goals:

1. Deceiving buyers and sellers (TikTok affiliate creators) by offering fake discounted products and asking for cryptocurrency payments.
2. Convincing people to deposit cryptocurrency into fake wallets, promising future rewards or commissions that never come.
3. Stealing credentials by using fake TikTok login pages or getting users to download the malware-infected TikTok app.

Once the malware is installed, it asks users to log in with their email. When that fails, the app tries to get them to log in via their Google account. This trick is designed to bypass security checks and give attackers unauthorized access to users’ accounts.

Malware in the App

The fake app contains SparkKitty, a malicious program that can:

• Fingerprint devices to gather information about the user.
• Use optical character recognition (OCR) to scan photos on a victim’s phone, looking for cryptocurrency wallet information like wallet seed phrases. These are then stolen and sent to attackers.

Related Phishing Campaigns

This discovery comes shortly after another phishing campaign called CyberHeist Phish was found. This attack uses Google Ads and fake login pages to target people searching for corporate banking sites. It is sophisticated, allowing attackers to steal not only login credentials but also two-factor authentication (2FA) details during login and financial transactions.

Additionally, another campaign called Meta Mirage is targeting Meta Business Suite users with fake policy violation alerts and other deceptive notices to harvest credentials. These attacks focus on high-value assets like ad accounts and verified brand pages.

Financial Sector Alerts

The findings coincide with a warning from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), urging financial institutions to stay alert to suspicious activities involving convertible virtual currency (CVC) kiosks. These kiosks are being used by criminals to help carry out fraud and other illegal activities.

FinCEN Director Andrea Gacki emphasized the importance of protecting the digital asset ecosystem and keeping criminals from exploiting technologies for illicit purposes.