New TikTok Scam Uses AI Ads and Spyware to Trick Users - 1

Image by Solen Feyissa, from Unsplash

New TikTok Scam Uses AI Ads and Spyware to Trick Users

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

A massive scam campaign targeting TikTok Shop users is spreading globally, cybersecurity firm CTM360 has warned.

In a rush? Here are the quick facts:

  • Over 10,000 fake TikTok Shop websites were discovered by CTM360.
  • Scam apps contain SparkKitty spyware that steals data and images.
  • Victims are targeted using AI-generated influencer-style ads.

The operation, known as “ClickTok,” uses phishing techniques together with malware to steal money, user credentials, as well as images from victims’ devices.

The scam operates through two main methods which either deceive users into visiting fake TikTok Shop websites, or trick them into installing fake TikTok platform apps that contain malicious content.

CTM360 says , “The campaignʼs scope extends beyond TikTok Shop impersonation and includes fraudulent versions of TikTok Wholesale and TikTok Mall” So far, over 10,000 fake websites and 5,000 malicious app download links have been found.

One version of the scam app mimics TikTok’s design but includes the SparkKitty spyware. This Trojan harvests login data, crypto wallet details, and images from the device gallery. It uses ‘hardcoded command-and-control servers’, making detection easier for researchers—but also confirming the app’s malicious intent. “The app initiates communication with a C2 domain […] where it requests an encrypted configuration file,” the report explains.

The worldwide growth of TikTok Shop has led to an increase in scams including ClickTok. Users should stay away from suspicious links while being cautious about AI-generated promotions and should never give crypto payments to unverified sellers.

Cloudflare Researchers Claim Perplexity Is Scraping Websites Despite AI Bot Block - 2

Photo by Joshua Woroniecki on Unsplash

Cloudflare Researchers Claim Perplexity Is Scraping Websites Despite AI Bot Block

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Sarah Frazier Former Content Manager

Researchers from internet infrastructure provider Cloudflare claim that the AI system Perplexity has been scraping content from websites without permission, even when publishers have implemented AI bot blocks.

In a rush? Here are the quick facts:

  • Cloudflare claims that Perplexity has been scraping content from websites without permission.
  • Researchers confirmed Perplexity’s “stealth crawling” behavior even when publishers implement AI bot blocks.
  • A spokesperson from Perplexity called Cloudflare’s report a “publicity stunt.”

According to the report shared by Cloudflare on Monday, Perplexity crawls websites using its default user agent and switches its identity to bypass these blocks. This “stealth crawling” behavior was confirmed by Cloudflare’s experts.

“We see continued evidence that Perplexity is repeatedly modifying their user agent and changing their source ASNs to hide their crawling activity, as well as ignoring — or sometimes failing to even fetch — robots.txt files,” wrote the researchers.

Crawlers are expected to be transparent, state their purpose clearly, and respect websites’ preferences, but researchers claim Perplexity has not been following these trust principles. This conclusion was reached following an investigation prompted by customer complaints.

“We received complaints from customers who had both disallowed Perplexity crawling activity in their robots.txt files and also created WAF rules to specifically block both of Perplexity’s declared crawlers: PerplexityBot and Perplexity-User,” wrote the researchers. “These customers told us that Perplexity was still able to access their content even when they saw its bots successfully blocked.”

Cloudflare researchers said they verified these claims by replicating the blocks and conducting multiple tests to observe the crawler’s behavior. In one test, they created new domains that had not yet been indexed and included robots.txt files to block “respectful bots.” Later, they queried Perplexity for specific information about the restricted domains and found that the AI-powered answer engine still provided details and accurate information about the website.

“This response was unexpected, as we had taken all necessary precautions to prevent this data from being retrievable by their crawlers,” added the researchers.

A spokesperson from Perplexity, Jesse Dwyer, called the research a “publicity stunt” in a statement for The Verge . Dwyer added that there are “misunderstandings” in Cloudflare’s report.

Cloudflare has been developing multiple tools to help publishers prevent unauthorized AI crawling. In March, Cloudflare released “AI Labyrinth, ” a tool that redirects unauthorized crawlers into AI-generated content mazes. Last month, it launched “Pay Per Crawl,” a system to charge AI bots for accessing publishers’ content.