Ethical Hacking News
CTM360 has uncovered a new global malware campaign dubbed "FraudOnTok" that spreads the SparkKitty spyware through fake TikTok shops to steal cryptocurrency wallets and drain funds.
CTM360 has uncovered a new scam campaign called "FraudOnTok" exploiting TikTok Shop to steal cryptocurrency wallets and funds. The FraudOnTok campaign uses phishing, malware, and spyware tactics to deceive buyers and affiliate program participants on TikTok's platform. It spreads through fake TikTok shops embedded with SparkKitty spyware, which captures sensitive data by reading screenshots and images stored on the device. Victims are lured into logging in and attempting to make purchases, during which time their sensitive data is stolen. The scam uses fake websites that mimic the official TikTok interface to trick users into paying with cryptocurrency wallets. CTM360 has observed over 10,000 impersonated TikTok websites and 5,000 unique malicious app instances spread via QR codes and messaging apps.
The world of online transactions and commerce has long been plagued by a multitude of cyber threats, from phishing scams to malware-infested apps. Recently, cybersecurity firm CTM360 uncovered a particularly insidious campaign dubbed "FraudOnTok," which exploits the growing e-commerce platform of TikTok Shop to steal cryptocurrency wallets and drain funds.
The FraudOnTok campaign is a hybrid scam model that combines phishing and malware tactics to deceive buyers and affiliate program participants on TikTok's platform. The unique spyware trojan, specifically engineered to exploit TikTok Shop users across the globe, spreads through fake TikTok shops embedded with SparkKitty spyware. This malicious software variant closely resembles SparkCat, previously identified by Kaspersky, and is designed to infiltrate user devices, access photo galleries, and extract screenshots that may contain cryptocurrency wallet credentials.
Once installed, the SparkKitty spyware covertly captures sensitive data, including wallet credentials, by reading screenshots and images stored on the device. This enables the theft of digital funds, making it a formidable threat to users who engage with fake TikTok websites impersonating the official platform. The attackers create fake websites that closely mimic the interface, deceiving users into thinking they're interacting with the real platform.
Victims are lured into logging in and attempting to make purchases, during which time they're instructed to pay via cryptocurrency wallets. Once payment is made, the trojanized app embedded with SparkKitty spyware captures sensitive data, ultimately enabling the theft of digital funds.
The attacker has two main objectives: phishing websites that incite users to open fake Shop URLs distributed through meta ads, prompting them to enter login credentials, payment details, or seller information, all of which are silently harvested. Trojanized apps on mobile devices that urge users to install modified TikTok Apps infected with SparkKitty spyware.
The scammers use Fake AI-generated Videos and Meta ads to reach a wider audience, directing users to fake cybersquatted domains carefully crafted to look like real TikTok URLs. To date, CTM360 has observed over 10,000 impersonated TikTok websites using inexpensive TLDs such as .top, .shop, .icu, and others. Additionally, over 5,000 unique malicious app instances have been spread via QR codes, messaging apps, and in-app downloads.
FraudOnTok scammers impersonate not just TikTok Shop but also TikTok Wholesale and TikTok Mall. The campaign utilizes fake TikTok Shop login pages to harvest user credentials and malware distribution through trojanized apps that enable account hijacking. It implements an alternative payment structure excluding traditional card transactions, instead requiring payments through cryptocurrency wallets.
Victims are often encouraged to "top up" fake TikTok wallets or digital currencies like USDT, ETH, and more.
In response to this malicious campaign, CTM360 urges users and organizations to stay vigilant and take the following precautions:
Avoid downloading modded, cracked, or unknown software, especially from torrent sites and Telegram. Always verify domain authenticity before entering login or payment information, manually checking for spelling errors or suspicious domain extensions.
Report any suspicious TikTok-related content, ads, or apps directly to TikTok or cybersecurity authorities in your country. Brands and sellers should regularly monitor brand abuse and impersonation trends using threat intelligence platforms.
A strong antivirus or EDR solution can prevent SparkKitty spyware breaches. If you use a crypto wallet, consider one that is clipboard-protected.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Dark-Side-Unraveling-the-FraudOnTok-Malicious-Campaign-Targeting-TikTok-Shop-Users-ehn.shtml
https://www.bleepingcomputer.com/news/security/ctm360-spots-malicious-fraudontok-campaign-targeting-tiktok-shop-users/
Published: Tue Aug 5 13:52:45 2025 by llama3.2 3B Q4_K_M
