Cyber criminals exploiting naked TikTok ‘challenge’

Two security researchers have raised the alarm over both the personal dangers of participating in viral TikTok challenges, and of being drawn in by promises that seem too good to be true, after uncovering evidence of a malware operation targeting platform users with the promise of viewing nude videos.

The Invisible Challenge requires participants to film themselves naked using a TikTok effect called Invisible Body, which removes their body from the video and replaces it with a blurred contour image. The challenge is growing increasingly popular and its main hashtag now has over 25 million views.

However, according to Guy Nachshon and Tal Folkman of Checkmarx, a specialist in application security testing, the challenge has attracted the attention of malicious actors who are exploiting it to distribute a data-stealing malware under the guise of a software app called Unfilter, that supposedly enables users to view the original, uncensored videos.

The operation is run by two TikTok users going by the handles “learncyber” and “kodibtc”, who so far have invited over 30,000 people to join a Discord server to obtain the Unfilter application via their GitHub repository.

“The high number of users tempted to join this Discord server and potentially install this malware is concerning,” wrote Nachshon and Folkman. “The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever.”

Of course, the software application does not actually remove the TikTok filter, rather it installs a malware called WASP Stealer (Discord Token Grabber), an infostealer that targets Discord accounts, other credentials and credit card data stored in victims’ web browsers, cryptocurrency wallets, and other files.

Nachshon and Folkman said the campaign appeared to be linked to other malicious Python packages, and some of the code may have been stolen from a legitimate package.

StarJacking

The attackers may also have used a technique known as StarJacking, which essentially involves hijacking the legitimate package’s GitHub Stars rating to make it seem more popular than it really is. They had also been sending new sign-ups a private message from a bot account with a request for their victims to star the GitHub repository themselves, which as a result of this has gained the status of a trending project.

At one point, said the researchers, after the malicious package was caught and removed by the Python Package Initiative (PyPi), the users were quickly able to improvise and create new identities. Both users have also been thrown off TikTok and their original Discord server suspended, although Nachshon and Folkman said they claim to have moved to another server.

“These attacks demonstrate again that cyber attackers have started to focus their attention on the open source package ecosystem; we believe this trend will only accelerate in 2023,” the researchers said.

“As we see more and more different attacks, it is critical to expedite the flow of information on these attacks across all parties involved – package registries, security researchers [and] developers – to protect the open source ecosystem against those threats.”

Javvad Malik, lead security awareness advocate at KnowBe4, said: “Criminals are always looking for ways to trick people into downloading malware. This could be through offers of free gifts, impersonating big brands, fear of loss of an account, curiosity, and whichever other emotional strings they can pull.

“The invisible body filter is designed specifically to elicit an emotional response, which is why it’s a trend at the moment. The criminals know that the lure of potentially being able to reverse the filter would be too great for many to resist, and they are right.

“It is why it’s important to take a step back and think before you download any software, particularly where it comes from unknown sources, especially in chat channels such as Discord,” said Malik.

Leave a Reply

Your email address will not be published. Required fields are marked *