“Cybersecurity Researchers Uncover Widespread Threat, Warn of Sophisticated Phishing Tactics”

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that’s targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps. The threat, dubbed “ClickTok” by the Bahrain-based cybersecurity company CTM360, involves a dual attack strategy that combines phishing and malware to target users.

The scam campaign has been identified to date as using over 15,000 impersonated websites, designed to look like legitimate TikTok URLs, which are hosted on top-level domains such as .top, .shop, and .icu. These domains are used to host phishing landing pages that either steal user credentials or distribute bogus apps that deploy a variant of a known cross-platform malware called SparkKitty. This malware is capable of harvesting data from both Android and iOS devices.

One of the most insidious tactics employed by the threat actors is the use of AI-generated TikTok videos that mimic influencers or official brand ambassadors, which are used to lure users into interacting with the fake platforms. The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging to distribute malware.

CTM360 has identified at least 5,000 URLs that are set up with the intent to download the malware-laced app by advertising it as TikTok Shop. The app, once installed, prompts the victim to enter their credentials using their email-based account, only for it to repeatedly fail in a deliberate attempt on the part of the threat actors to present them with an alternative login using their Google account.

The malicious app also contains the SparkKitty malware, which is capable of device fingerprinting and using optical character recognition (OCR) techniques to analyze screenshots in a user’s photo gallery for cryptocurrency wallet seed phrases, and exfiltrating them to an attacker-controlled server.

The disclosure comes as CTM360 also detailed another targeting phishing campaign dubbed CyberHeist Phish, which is using Google Ads and thousands of phishing links to dupe victims searching for corporate online banking sites to be redirected to seemingly benign pages that mimic the targeted banking login portal and are crafted to steal their credentials.

This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication on each stage of login, beneficiary creation, and fund transfer.

The developments coincide with an advisory from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), urging financial institutions to be vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks in a bid to combat fraud and other illicit activities.

“Criminals are relentless in their efforts to steal money from victims, and they’ve learned to exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki. “The United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort.”