(Credit: KIRAN RIDLEYKIRAN RIDLEY / Contributor / AFP via Getty Images)
Scammers are capitalizing on the popularity and name recognition of the TikTok Shop to pull off a "widespread, ongoing, malicious campaign" intended to steal crypto and your personal data.
Threat actors are creating replicas of TikTok Shop profiles, complete with AI-generated videos, to trick users into thinking they are interacting with a legitimate seller, says cybersecurity firm CTM360. They also circulate fake ads on Facebook and TikTok that promise big discounts on products, but those ads redirect people to bogus versions of TikTok Wholesale and TikTok Mall.
CTM360 found 10,000+ phony phishing URLs that "are used to lure users into depositing cryptocurrency on fraudulent storefronts, leveraging fake product listings and urgency tactics."
Another tactic sees scammers masquerading as a TikTok Shop affiliate management platform. People are encouraged to download an app that's actually designed to hijack accounts, steal sensitive information, and potentially enable persistent device compromise.
"The threat actors distribute malicious App files through embedded download links and QR codes, with 5,000+ distinct App download sites detected thus far," CTM360 says.
The effort hinges on the ability to "exploit user trust in TikTok Shop's brand." If scammers can convince someone to download an app or log into a fake page, they can then distribute malware. In this case, it's SparkKitty, which is capable of harvesting data from both Android and iOS devices, HackerNews reports.
Victims are asked to pay in cryptocurrency or deposit money into a fake on-site wallet, with promises of "future commission payouts or withdrawal bonuses that never materialize." They also impersonate TikTok Shop login pages to steal user credentials to later hijack their accounts.
"The core motive is fraudulent financial gain, exploiting the trust in online shopping, affiliate earnings, and the irreversibility of certain payment methods," says CTM360.
The report is a reminder to be wary of deals that seem too good to be true. Double-check URLs for anything that seems off; the scam sites are using free or low-cost top-level domains such as .top, .shop, and .icu. The official TikTok Shop and affiliate program are housed via tiktok.com and have strict guidelines; they're probably not going to be proactively reaching out and asking you to deposit money into a crypto wallet.
Be careful with ads, too. Last month, a fake Starlink deal circulated on Facebook, baiting people into buying a cheap satellite dish to trick people into entering credit card information.