The “ClickTok” campaign is a sophisticated, global operation that uses a multi-pronged approach to deceive users of TikTok Shop. Threat actors employ a clever dual strategy of phishing and malware, using AI-generated videos and fake ads on platforms like Meta to create a sense of legitimacy. The core of the scam is a deceptive replica of the official TikTok Shop platform, designed to trick users into believing they are interacting with a genuine affiliate or the real site. This campaign is highly coordinated, with cybersecurity researchers identifying more than 15,000 impersonated websites that mimic legitimate TikTok URLs. These fake sites are designed to either steal user credentials directly or distribute malicious apps.
The scam’s creators use lookalike domains, often with top-level domains like .top, .shop, and .icu, to host their phishing pages. These pages are designed to steal user credentials or, even more dangerously, distribute trojanized apps. The apps are laced with a cross-platform malware called SparkKitty, which is capable of harvesting sensitive data from both Android and iOS devices. The attackers also lure victims into depositing cryptocurrency on fraudulent storefronts by advertising fake products with heavy discounts. This allows the threat actors to not only steal login credentials but also directly siphon funds from unsuspecting users.
The “ClickTok” campaign has three primary goals, all of which are driven by financial gain. First, the scammers deceive buyers and affiliate program sellers with fake discounted products, urging them to make payments in cryptocurrency. Second, they convince affiliate participants to “top up” fake on-site wallets with cryptocurrency, promising future payouts or bonuses that never materialize. Finally, the attackers use fake TikTok Shop login pages to steal user credentials. When victims download the malicious app, they are prompted to enter their login information, which the app then captures. The app also attempts to bypass traditional authentication by using an OAuth-based method to weaponize session tokens, allowing for unauthorized access without traditional email validation.
Once the malware-laced app is installed, the SparkKitty malware gets to work.
This sophisticated malware can perform device fingerprinting to identify the victim’s device. It also uses optical character recognition (OCR) techniques to scan and analyze screenshots in a user’s photo gallery, specifically looking for cryptocurrency wallet seed phrases. These seed phrases, which are essentially the master keys to a crypto wallet, are then exfiltrated to a server controlled by the attackers. This highly targeted approach highlights the attackers’ focus on financial theft, as a single stolen seed phrase can give them complete access to a victim’s cryptocurrency holdings.
This elaborate campaign against TikTok Shop users is not an isolated incident. Cybersecurity firms have also recently detailed other sophisticated phishing operations. The CyberHeist Phish campaign, for example, uses Google Ads and thousands of phishing links to redirect victims searching for corporate online banking sites to fake login portals to steal their credentials. Another campaign, Meta Mirage, targets Meta Business Suite users with fake email alerts and deceptive verification requests to compromise high-value business assets like ad accounts and verified brand pages. These reports, along with advisories from government agencies like the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), underscore a growing trend of criminals using innovative and sophisticated methods to exploit digital platforms and steal financial assets.
Reference:
