In August, cybersecurity firm CTM360 uncovered a large-scale scam targeting TikTok Shop users.
Called “FraudOnTok,” this campaign combines phishing with malware. It uses a complex web of fake sites and apps to trick victims into handing over their credentials, and their money.
The bad actors set up more than 15,000 lookalike domains. They mimic TikTok Shop, TikTok Wholesale, and TikTok Mall, using cheap domain extensions like .top, .shop, and .icu. These sites fool users into believing they’re on the official platform. Once there, victims are hit with phishing pages that steal login info, and are prompted to download trojanized apps loaded with SparkKitty spyware.
SparkKitty is more than just spyware. It grabs screenshots from device galleries (often hunting for crypto wallet seed phrases) fingerprints the device, and keeps constant contact with attacker servers to siphon data over time. The malware’s hardcoded control servers hint this group is still developing, but their reach is already global.
FraudOnTok targets two groups: shoppers and TikTok Shop Affiliates. The scammers use AI-generated TikTok videos and fake ads on TikTok and Meta, mimicking influencers or official brand reps. They even create fake social profiles posing as affiliates to boost credibility.
Victims are pushed to pay into untraceable crypto wallets like USDT. The scam offers fake discounts or convinces users to “top up” fake wallets promising commissions or bonuses, but no money ever arrives. The fake app mimics TikTok’s interface and tricks users through Google OAuth login, bypassing normal security to grab credentials and session cookies.
Though TikTok Shop officially operates in just 17 countries (including the US, UK, Indonesia, and parts of Europe and Asia) FraudOnTok is worldwide. CTM360 found over 10,000 phishing URLs and 5,000 malicious app sites connected to this scam.
The company used a Scam Navigator framework inspired by MITRE to map the scam’s lifecycle: resource development, evasion, distribution, interaction, and monetization.
Threat actors profit through stolen payments, phishing, and advance-fee fraud. They exploit trust in TikTok’s brand and the irreversible nature of cryptocurrency transactions.
CTM360’s report shows how malefactors blend AI, phishing, fake ads, and spyware to attack users on social commerce platforms. It’s a warning that social engineering plus malware is a dangerous combination, particularly when tied to popular apps with millions of users.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, comments: “This particular attack shows how technical attacks are more often than not blended with social engineering tactics to exploit our trust in brands. By leveraging AI-generated content, lookalike domains, and convincing social ads, criminals can tap into the human nature of curiosity and platform trust.”
Malik says it serves as a reminder that individuals and organisations need to remain skeptical of offers that appear too good to be true and verify websites before entering credentials. “While technology can reduce the number of threats, it cannot completely eliminate them, which is why user vigilance remains an essential component for good security.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.