- Fraudulent TikTok Shops driving victims into fake portals designed to steal cryptocurrency and data
- Scammers mimic trusted seller profiles and lure shoppers with unrealistic discounts across popular platforms
- SparkKitty malware secretly collects sensitive data from devices, enabling long-term unauthorized surveillance and control
Cybercriminals are now making use of TikTok Shops to spread malware and steal funds from unsuspecting young users of the platform.
The campaign, revealed by security experts at CTM360, mimics the profile of legitimate ecommerce sellers to build its credibility, often using AI-generated content.
In addition to TikTok, these fake shops can also be found on Facebook, where their modus operandi is to advertise massive price cuts to lure potential victims.
You may like
Exploiting brand trust for profit
The main target of these malicious actors is not only to defraud users, mostly in cryptocurrency, but also to deliver malicious software and steal login details.
At the moment, TikTok Wholesale and Mall pages have been linked to over 10,000 such fraudulent URLs.
These URLs, which look like official platforms, offer “buy links” that redirect visitors to a criminal phishing portal.
Once users click the link and enter the portal, they will be made to pay a deposit into an online wallet or purchase a product – the online wallet is fake and the product does not exist.
Some operations take the deception further by posing as an affiliate management service, pushing malicious apps disguised as tools for sellers.
More than 5,000 app download sources have been uncovered, many using embedded links and QR codes to bypass traditional scrutiny.
One identified threat, known as SparkKitty, is capable of harvesting data from both Android and iOS devices.
It can enable long-term access to compromised devices, creating ongoing risk even after the initial infection.
The malware is often delivered through these fake affiliate applications, turning what appears to be a legitimate opportunity into a direct path for account takeover and identity theft.
Because cryptocurrency transactions are irreversible, victims have little recourse once funds are transferred.
A common thread in the campaign is the use of pressure tactics, with countdown timers or limited-time discounts designed to force quick decisions.
These tactics, while common in legitimate marketing, make it harder for users to pause and assess the authenticity of an offer.
Domain checks reveal many of the scam sites using inexpensive extensions such as .top, .shop, or .icu, which can be purchased and deployed rapidly.
How to stay safe
- Make sure you check the website address carefully before entering your payment information. Every detail of the website should match the legitimate domain.
- Ensure that you use secure HTTPS encryption
- If the price cut feels too huge, follow your gut and stay away.
- Do not allow a countdown timer to pressure you into making payment; this pressure is a common tactic my malicious actors
- Always insist on the standard payment methods and avoid direct wire transfers or cryptocurrency, as these are harder to trace and often used in scams.
- Install and maintain a trusted security suite that combines robust antivirus protection with real-time browsing safeguards to block malicious websites.
- Configure your firewall to actively monitor and filter network traffic, preventing unauthorized access and blocking suspicious connections before they reach your device.
- Pay close attention to alerts from reputable security programs, which can detect and warn you about known phishing sites or fraudulent activities in real time.
- Remain cautious even when shopping on professional-looking platforms, as well-designed storefronts can still conceal sophisticated attempts at theft.
