Over 10,000 Malicious TikTok Shop Domains Target Users with Malware and Credential Theft

Cybersecurity firm CTM360 has uncovered an ongoing malicious operation dubbed “ClickTok,” specifically targeting TikTok Shop users worldwide through a dual-pronged strategy of phishing and malware deployment.

This campaign leverages deceptive replicas of TikTok’s official in-app e-commerce platform, impersonating affiliates and legitimate interfaces to ensnare both end-users (buyers) and participants in the TikTok Shop Affiliate Program.

Threat actors employ advanced tactics, including fake Meta advertisements and AI-generated TikTok videos that emulate influencers or brand ambassadors, to distribute phishing links and trojanized applications.

By registering lookalike domains that mimic authentic TikTok URLs often utilizing low-cost top-level domains such as .top, .shop, and .icu the attackers host over 10,000 impersonated websites to date, extending beyond TikTok Shop to fraudulent versions of TikTok Wholesale and TikTok Mall.

These domains facilitate credential theft via phishing pages and the dissemination of malicious apps, which embed a variant of the SparkKitty spyware for extensive data exfiltration from compromised devices.

The campaign’s global reach surpasses TikTok Shop’s official availability in 17 countries, including the UK, US, Indonesia, and various European and Asian markets, rapidly expanding to exploit users in unrestricted regions through embedded download links, QR codes, and over 5,000 distinct app distribution sites.

Phishing Templates

CTM360’s analysis reveals the campaign’s sophisticated architecture, mapped to a Scam Navigator framework inspired by the MITRE model, delineating seven key stages: resource development, evasion, trigger, distribution, target interaction, motive, and monetization.

Divided into two phases, this structure highlights the attackers’ use of dedicated domains, subdomains, and phishing kits to evade detection while deploying SparkKitty malware templates.

Three primary phishing templates mimic TikTok Shop, Wholesale, and Mall ecosystems, luring users with fake product listings and urgency tactics to deposit cryptocurrency, such as USDT, into fraudulent wallets that hijack transactions for fraud and fund theft.

A separate malware-based template poses as a TikTok Shop affiliate management platform, prompting downloads of trojanized apps that spoof the official TikTok interface.

These apps deviate from standard login flows by enabling Google OAuth access while failing email-based authentication and injecting unauthorized WebView elements to harvest credentials and session cookies.

Upon installation, particularly on iOS via UI spoofing to bypass security prompts, the apps establish command-and-control (C2) communications with hardcoded endpoints like https://aa.6786587.top/?dev=az, exchanging Base64-encoded payloads containing device fingerprints, TikTok IDs, and PHPSESSID tokens.

This facilitates dynamic configurations and triggers for data exfiltration, including gallery scraping for seed phrases or screenshots and persistent device tracking.

SparkKitty’s Advanced Spyware Capabilities

The campaign’s trigger and distribution mechanisms rely on bogus profiles, deceptive ads with AI-generated content promoting discounted offers, and compromised social media accounts across platforms like Facebook, TikTok, Telegram, and WhatsApp.

These elements build false credibility, directing users to phishing URLs or modded app downloads via URL shorteners.

Monetization focuses on direct financial gain through advance fee scams, where affiliates are tricked into topping up fake wallets with promises of commissions, alongside payment theft via irreversible cryptocurrency transfers and credential phishing for account hijacking.

The embedded SparkKitty trojan exhibits spyware behaviors, such as device fingerprinting (reporting OS versions, IDs, and locations) and image theft from galleries, executed in stages: initial C2 checks via encrypted configuration files, metadata uploads, and conditional PUT requests for data exfiltration if status flags permit.

Hardcoded C2 infrastructure in the app’s Java code, lacking dynamic rotation, suggests potential vulnerabilities for detection by threat intelligence systems.

First identified by Kaspersky, this cross-platform spyware has been adapted here to crypto-themed lures, enabling persistent compromise and the sale of stolen assets on dark web markets.

CTM360 emphasizes that defenses should target these lifecycle stages, from evasion tactics like shared or free hosting to monetization endpoints, to mitigate the campaign’s impact on global users.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!