- The scam, called “FraudOnTok,” uses fake TikTok Shop sites and AI-generated videos to steal credentials and distribute malware.
- Researchers found over 15,000 lookalike domains, many of which host phishing pages or prompt malware downloads.
- The malware can steal data from both Android and iOS devices, including credentials and cryptocurrency wallet information.
- Similar attacks also target corporate online banking and Meta Business Suite users using phishing techniques.
Cybersecurity researchers reported that a major malicious campaign is spreading across global markets. Attackers are tricking TikTok Shop users into giving up their login details and installing infected apps. The aim is to steal information and financial assets using fake websites and phishing schemes.
Bahrain-based company CTM360 revealed that the operation, named “FraudOnTok,” uses realistic copies of TikTok Shop platforms and promotes them through social media ads and AI-generated videos that mimic influencers. They have identified more than 15,000 fake domains, most commonly ending in .top, .shop, or .icu.
These websites lure users to phishing pages or malware downloads. According to CTM360, over 5,000 URLs specifically push users to download malware disguised as a TikTok Shop app.
These phishing sites often advertise fake products with heavy discounts, pushing victims to make payments in cryptocurrency or “top up” digital wallets for promised perks that never arrive.
“The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging to distribute malware,” said CTM360.
If victims enter their credentials into these apps, attackers first attempt to collect email logins. If unsuccessful, they shift to Google account logins to get past security features. Once the user is logged in, the fake app redirects them to more credential-stealing pages.
Embedded in the malicious apps is a program called SparkKitty, which can gather device information, scan screenshots in a user’s photo gallery to detect cryptocurrency wallet security phrases, and send this data to attackers.
CTM360 also reported similar strategies used in other schemes. One, named “CyberHeist Phish,” targets people searching for business banking sites. Attackers use Google Ads and thousands of phishing links to copy real banking portals and steal credentials.
“This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication at each stage of login, beneficiary creation, and fund transfer,” noted CTM360.
Phishing attacks have also been observed aiming at Meta Business Suite users. Criminals use fake violation notices, ad account restriction emails, and verification requests to access business accounts and steal sensitive data.
These attacks come as the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) warns financial institutions to report suspicious transactions involving cryptocurrency kiosks.
“Criminals are relentless in their efforts to steal money from victims, and they’ve learned to exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Trump’s Crypto Debanking Probe Boosts INJ, XLM, ZBCN Ahead of Tariffs
- Nasdaq, Russell Rally as Bitcoin Lags Amid Macro Uncertainty
- AWS, NHL, Esports Embrace Theta: July 2025 Ecosystem Roundup
- Bitcoin Volatility Hits Lowest Level in Over a Year Amid Regulation
- Solana’s New Seeker Phone Ships With Crypto Wallet to 50+ Nations
