• Cyber Syrup
  • Posts
  • Widespread ClickTok Campaign Targets TikTok Shop Users with Phishing and Malware

Widespread ClickTok Campaign Targets TikTok Shop Users with Phishing and Malware

A widespread malicious campaign, dubbed ClickTok, is targeting TikTok Shop users around the globe

August 05, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

The Daily Newsletter for Intellectually Curious Readers

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Widespread ClickTok Campaign Targets TikTok Shop Users with Phishing and Malware

Cybersecurity researchers at CTM360 have uncovered a widespread malicious campaign, dubbed ClickTok, targeting TikTok Shop users around the globe. This operation uses a combination of phishing techniques and trojanized mobile apps to steal user credentials and distribute malware, aiming to compromise both consumer and creator accounts.

How the Attack Works

The threat actors behind ClickTok have developed a sophisticated dual-pronged strategy:

  1. Phishing Websites: Over 15,000 lookalike domains imitating TikTok’s branding (e.g., using .top, .shop, and .icu TLDs) are being used to trick users into logging into fake versions of TikTok Shop.

  2. Malicious Apps: These domains also host trojanized applications embedded with a cross-platform malware variant known as SparkKitty, capable of compromising both Android and iOS devices.

CTM360 notes that these phishing pages and apps lure victims through AI-generated videos and Meta ads, simulating influencer promotions with fake discounts. Once the victim engages, they're directed to download malware or input their TikTok credentials.

Financially Motivated Objectives

The campaign is financially motivated and operates through three key tactics:

  • Fake Products and Wallets: Users are tricked into paying for non-existent discounted items using cryptocurrency or topping up fraudulent on-site wallets.

  • Affiliate Program Exploitation: Influencers and affiliate marketers are deceived into joining fake programs with promises of commission payouts that never come.

  • Credential Harvesting: The malicious app simulates login failures to push users into using OAuth-based Google login, enabling attackers to hijack session tokens without requiring email authentication.

Once installed, the app leverages optical character recognition (OCR) to scan photo galleries for sensitive content, including cryptocurrency wallet seed phrases, which are then exfiltrated to attacker-controlled servers.

Related Threat Activity

CTM360 also highlights CyberHeist Phish, a parallel phishing operation using Google Ads to impersonate banking websites, collecting credentials and two-factor authentication codes in real-time during login and fund transfers.

Another campaign, Meta Mirage, targets Meta Business Suite users by sending fake violation notices or verification requests via email and DM, leading to cookie and credential theft.

National Cybersecurity Warning

These findings come amid a broader alert from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), which warns about the misuse of convertible virtual currency (CVC) kiosks for fraud and laundering.

“Criminals are relentless in their efforts to steal money from victims and exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki.

Protection Recommendations

Users and organizations should:

  • Verify TikTok Shop URLs carefully

  • Avoid downloading apps from unofficial sources

  • Monitor mobile devices for suspicious behavior

  • Use antivirus and mobile threat defense solutions

  • Report any suspicious TikTok promotions or domains