Cybersecurity researchers have unveiled it with a wide range of malicious campaigns targeting Tiktok shop users worldwide with the aim of stealing qualifications and distributing troilized apps.
“Threat actors are leveraging the official in-app e-commerce platform through dual attack strategies targeting phishing and malware,” CTM360 said. “The core tactics include deceptive replicas of Tiktokshop that make users think they are interacting with legitimate affiliates and real platforms.”
The fraud campaign, called Clicktok by a Bahrain-based cybersecurity company, calls for a multifaceted distribution strategy of threat actors who mimic influencers or official brand ambassadors generated by meta ads and artificial intelligence (AI).
The core of the effort is the use of domains that look similar to legitimate Tiktok URLs. To date, over 15,000 websites with such spoofing have been identified. Most of these domains are hosted in top-level domains such as .top, .shop, and .icu.
These domains are designed to steal user credentials to deploy a variant of known cross-platform malware called SparkKitty, which can harvest data from both Android and iOS devices, or to host phishing landing pages that distribute fake apps.
Additionally, some of these phishing pages will lead to depositing cryptocurrency in fraudulent stores by promoting fake product lists and huge discounts. By advertising it as a Tiktok shop, CTM360 said it has identified over 5,000 URLs set up with the intention of downloading malware-covered apps.
“We believe that scams mimic legitimate tictock shop activities through fake ads, profiles and AI-generated content, and users are involved in the distribution of malware,” the company said. “Fake ads are widely distributed on Facebook and Tiktok, mimicking videos that mimic Real Promotions and attract users with significantly reduced offers.”
A fraudulent scheme works with three motivations in mind, but the ultimate goal is economic benefits regardless of the illegal monetization strategy employed.
You will not disguise buyers and affiliate program sellers (creators who promote products that promote products in exchange for sales committees generated through affiliate links) with discounted products, and use future committees on affiliate participants to leave using fake agreements. Instructs you to download the Trojanized Tiktok app
Once installed, malicious apps will prompt the victim to enter their credentials using an email-based account. This is a repeated failure of a threat actor who uses a Google account to present an alternative login.
This approach aims to bypass traditional authentication flows and weaponize session tokens created using OAUTH-based methods for unauthorized access without the need for in-app email verification. If a logged-in victim attempts to access the Tiktok shop section, they will be directed to a fake login page requesting qualifications.
Also embedded in the app is Sparkkitty, a malware (OCR) technique that uses device fingerprinting and optical character recognition (OCR) techniques to analyze screenshots in user photo gallery, analyze screenshots of cryptocurrency wallet seed phrases, and surrounded by attacker control servers.
The disclosure comes when we detail another targeted phishing campaign called Cyberheist Phish, which uses Google Ads and thousands of phishing links, and another targeted phishing campaign that seeks Dupe victims looking for a corporate online banking site to mimic the targeted bank login portal and redirect them to coordinate pages created to steal credit.
“This phishing operation is particularly sophisticated in order to collect two-factor authentication at each stage of login, beneficiary creation, and fund transfer due to its evasive and selective nature and real-time interaction with threat actor targets,” CTM360 said.
Over the past few months, phishing campaigns have targeted metabusiness suite users as part of a campaign called Metamirage, which uses deceptive verification requests that lead victims to their eligibility and cookie harvest pages using fake policy violation email alerts, AD account restriction notifications, deceptive verification requests distributed via email and direct messages.
“The campaign focuses on eroding high-value business assets, including advertising accounts, verified brand pages and admin-level access within the platform,” the company added.
These developments coincide with the recommendations of the US Treasury Department’s Financial Crime Enforcement Network (FINCEN), which encourages financial institutions to identify and report suspicious activities that convertible cryptocurrency (CVC) kiosks fight fraud and other illegal activities.
“Criminals have been less in their efforts to steal money from victims and have learned to use innovative technologies like CVC kiosks,” said Andrea Gakki, director of Finsen. “The United States is committed to protecting the digital asset ecosystem for legal businesses and consumers, and financial institutions are key partners in their efforts.”
Source link
