AI-Driven TikTok Scam Uses Fake Shops to Spread Malware

Cybersecurity researchers have lifted the veil on a widespread malicious campaign targeting TikTok Shop users globally, aiming to steal credentials and distribute trojanized apps.

“Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users,” CTM360 said. “The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform.”

The Bahrain-based cybersecurity company has codenamed the scam campaign ClickTok. It highlights the threat actor’s multi-pronged distribution strategy, which involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors.

Core Tactics: Lookalike Domains and Malware

Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified to date, with the vast majority hosted on .top, .shop, and .icu top-level domains.

These domains host phishing landing pages designed to either steal user credentials or distribute bogus apps. These apps deploy a variant of a known cross-platform malware called SparkKitty, which is capable of harvesting data from both Android and iOS devices.

What’s more, a significant number of these phishing pages lure users into depositing cryptocurrency on fraudulent storefronts by advertising fake product listings and heavy discounts. CTM360 identified at least 5,000 URLs set up to download the malware-laced app by advertising it as the official TikTok Shop.

“The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging to distribute malware,” the company noted. “Fake ads are widely circulated on Facebook and TikTok, featuring AI-generated videos that mimic real promotions to attract users with heavily discounted offers.”

Anatomy of the Fraudulent Scheme

The fraudulent scheme operates with three primary motives, although the ultimate goal is always financial gain:

• Deceiving buyers and affiliate sellers with bogus products and asking them to make payments in cryptocurrency.
• Convincing affiliate participants to “top up” fake on-site wallets with cryptocurrency, under the promise of commission payouts or withdrawal bonuses that never materialize.
• Using fake TikTok Shop login pages to steal user credentials or instructing them to download trojanized TikTok apps.

Once installed, the malicious app prompts the victim to enter their credentials. This process repeatedly fails, deliberately guiding them to use an alternative login with their Google account. This approach likely aims to bypass traditional authentication and weaponize the OAuth-based session token for unauthorized access. If the victim tries to access the TikTok Shop section, they are redirected to another fake login page to steal their credentials.

Embedded within the app is SparkKitty, a malware that can fingerprint the device and use optical character recognition (OCR) to scan a user’s photo gallery for cryptocurrency wallet seed phrases, which are then exfiltrated to an attacker-controlled server.

Broader Phishing Trends

This disclosure comes as CTM360 also detailed another phishing campaign, dubbed CyberHeist Phish. It uses Google Ads and thousands of phishing links to dupe victims searching for corporate online banking sites, redirecting them to pages that mimic the targeted bank’s login portal to steal credentials.

“This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication on each stage of login, beneficiary creation and fund transfer,” CTM360 said.

In recent months, phishing campaigns have also targeted Meta Business Suite users in a campaign called Meta Mirage. This operation uses fake policy violation alerts and ad account restriction notices to lead victims to credential and cookie harvesting pages.

These developments coincide with an advisory from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), urging financial institutions to be vigilant against fraud involving convertible virtual currency (CVC) kiosks.