Security researchers have issued a warning about an ongoing hacking campaign, identified as ClickTok, which targets fake TikTok Shop login pages to harvest account passwords. The threat actors have, so far, been observed to have established 10,000 fake sites and 5,000 malicious apps during the campaign, which also distributes SparkKitty spyware to steal cryptocurrency wallets.
ClickTok Hackers Target TikTok Shop Customers
TikTok credential-stealing campaigns have been reported before, but ClickTok is deserving of your immediate attention as it adopts what the researchers called “a hybrid scam model” combining both phishing and malware specifically targeting the rapidly growing TikTok Shop customer base.
“The scam begins with the impersonation of TikTok’s commercial ecosystem, including TikTok Shop, TikTok Wholesale, and TikTok Mall.,” the CTM360 security researchers said, These fake sites “closely mimic the official interface, deceiving users into thinking they’re interacting with the real platform.”
The CTM360 analysis, published August 5, revealed that the fake TikTok Shop sites are mostly using either free or very low-cost domains, including .top and .shop. But it’s not just these sites that are being used; ClickTok hackers have also distributed more than 5,000 malware-laden apps using a combination of malicious QR codes and embedded download links.
The researchers have warned that this scam campaign is “spreading on a global scale” and targeting users even beyond the 17 countries in which the TikTok Shop is officially available, which include the U.S. and U.K., along with countries in Europe and Asia.
Mitigating TikTok Shop Hack Attacks
Users are recommended to take the following mitigation measures:
- Do not download unknown software, especially that which has been modded or “cracked” from torrent sites or Telegram.
- Do verify the authenticity of the domain before entering any payment information, make sure you are logging into the genuine site and not a fake, by entering the known URL in your web browser or using the official TikTok app on your phone.
- Do report any suspicious TikTok content, including adverts and apps, using TikTok’s reporting tools.
- And finally, be sure to follow the advice found in the TikTok safety center.
“This particular attack shows how technical attacks are more often than not blended with social engineering tactics to exploit our trust in brands,” Javvad Malik, lead security awareness Advocate at KnowBe4, said. “It serves as a reminder that individuals and organisations need to remain skeptical of offers that appear too good to be true and verify websites before entering credentials.”
I have reached out for a statement regarding the TikTok Shop ClickTok attacks and will update this article in due course.
