Despite years of warnings and efforts, the problem of fake websites and malware being circulated through platforms like TikTok and Facebook Marketplace remains largely unresolved. While service providers occasionally take down some of these malicious pages, the problem persists, and new fraudulent sites emerge with even more intensity and frequency.
This ongoing issue has caught the attention of security researchers, particularly those from CTM360, a Bahrain-based digital risk protection company specializing in threat detection. Their findings reveal a troubling trend: hackers are increasingly using social media platforms to spread AI-generated malware disguised as fake e-commerce websites.
A Deceptive Scheme Targeting Young Users
The approach is slick and highly effective. The cybercriminals craft convincing ad banners that often appear in users’ feeds, promoting what seem to be legitimate online stores. These ads, which look almost identical to those from real businesses, are designed to deceive the viewer into clicking. The target audience is typically younger users, with many being as young as 16 in some countries. Once the user clicks on the ad, they are led to a phishing website, often filled with malicious payloads that are designed to compromise the device.
The ultimate goal of these cyber attackers is to gather sensitive personal information—credentials, login details, or even access to cryptocurrency wallets. While stealing cryptocurrency is not a simple task and requires a significant amount of technical expertise, it is certainly possible. The malware often used in these attacks, such as the notorious Spark Kitty, lurks on infected devices, silently collecting data and gaining capabilities through communication with Command-and-Control (C2C) servers. Over time, these threats evolve, becoming more sophisticated and able to carry out increasingly complex tasks.
The Role of Social Media Platforms: A Slow Response
Platforms like Facebook have been vocal about their efforts to combat this issue. The company recently revealed that it has been employing Artificial Intelligence to identify and remove accounts involved in suspicious activities, including those propagating fake websites and malware. While this is a step in the right direction, it has often been a game of whack-a-mole: as one fraudulent account or page is removed, another pops up in its place with renewed vigor.
On the other hand, TikTok seems to have lagged in implementing robust measures to protect its users, particularly younger ones. Despite the platform’s public assurance that it only allows users over the age of 18 to create content and engage on the platform, there is ample evidence showing that children as young as 12-14 years old are able to access TikTok, exposing them to potential threats. The absence of comprehensive age verification systems leaves these young users vulnerable to scams and malicious activities, such as the spread of malware and fake websites.
What Can Be Done?
The issue at hand is not just about removing a few malicious websites but addressing a broader ecosystem of deceit, where both social media platforms and cybercriminals are constantly evolving. To effectively combat this threat, service providers must step up their game by not only increasing the use of AI to identify suspicious activity but also implementing stricter age-verification systems, especially on platforms like TikTok, where young users are often exposed to high-risk environments.
Additionally, there needs to be greater awareness among users, particularly teenagers, about the risks of interacting with online ads and visiting unfamiliar websites. Educational campaigns on digital literacy could go a long way in empowering individuals to make safer choices online.
In conclusion, the rise of fake websites and malware remains a significant challenge, especially as cybercriminals continue to exploit the popularity of platforms like TikTok and Facebook. While progress has been made, much more needs to be done to protect users—especially young ones—from these evolving threats.
Join our LinkedIn group Information Security Community!
