A large-scale phishing campaign dubbed “ClickTok” is targeting TikTok Shop users through more than 15,000 fake domains designed to mimic the platform’s branding and interface.
The operation, reported by cybersecurity researchers monitoring digital risk activity, uses a vast and fast-expanding infrastructure of lookalike domains and fraudulent social media profiles to trick users into clicking malicious links. These links redirect to phishing pages designed to steal personal and financial information under the guise of TikTok Shop promotions, giveaways, or discounts.
Many of the spoofed domains closely resemble legitimate TikTok Shop URLs — such as “tikshop-gifts” or “tiktok-bonus” — making them easy to mistake for the real thing. Once a victim enters their data, they’re often redirected to the legitimate TikTok Shop website to avoid raising suspicion, while the stolen credentials and payment details are silently exfiltrated to Telegram bots controlled by the attackers.
Beyond phishing, security analysts warn that some of these sites also deliver SparkKitty, a malware strain capable of stealing browser-stored credentials, clipboard contents, and cryptocurrency wallet data. In these cases, victims not only lose account access but may also unknowingly compromise sensitive data stored on their devices.
The campaign’s infrastructure is both sophisticated and professionally maintained. Many domains are hosted using fast-flux techniques or rotated through compromised servers to make takedown efforts more difficult. Over 6,000 of the fake domains were registered in just the last few weeks, indicating an aggressive expansion phase.
While the ClickTok campaign appears to primarily target TikTok Shop users, the tactics used — especially the distribution of SparkKitty — could easily be repurposed for broader attacks. The operation highlights the increasing overlap between phishing, malware delivery, and social engineering through fake branded content.
TikTok Shop users are strongly advised to remain cautious of links promising rewards or special offers, verify domain names closely, and avoid entering login or payment information outside the official TikTok app or website.
Leave a Reply