image
As social media platform TikTok becomes the top App Store download in 2019 – and the number three app download on Google Play and on platforms overall – scammers are looking to cash in on the troves of younger users of the popular platform. Tenable researcher Satnam Narang, who has been tracking the platform for scams since March 2019, said that, while scams have been previously undocumented, he has come across several that are “in their infancy”. He expects that number to explode. These scams, already prevalent on Instagram and Twitter, revolve around adult dating as well as account impersonation to get more likes or follows, and in some cases can be extremely profitable for scammers. “I think as long as these platforms exist, and there are billions of users using them, you’re going to have scammers. It’s just sort of part of using these platforms,” Narang told Threatpost. Listen to the Threatpost podcast below, outlining the research – and for direct download of the podcast, click here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/10874135/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Below is a lightly-edited transcript of the podcast. Lindsey O’Donnell: Hi everyone, welcome back to the Threatpost podcast. This is Lindsey O’Donnell with Threatpost and I’m here today with Tenable senior researcher Satnam Narang. Satnam, how are you doing today? Satnam Narang: I’m doing well, Lindsey, how are you? LO: I’m good just coming off of Black Hat craziness, so a little tired. So Tenable on the kind of outskirts of Black Hat has come out with some new research today about several popular scams that are taking a hold of the popular video platform TikTok, which is very prevalent. I mean, it’s the number one app for App Store downloads and the number three download overall in terms of apps. So with that kind of success, obviously comes security issues, as we’ve seen in the past with other apps and social media platforms. So Satnam, can you give us some context about TikTok, what do we need to know about the social platform as it relates to the attacks that you’ve outlined in your research? SN: So Lindsey, yeah, TikTok is really popular, as you just noted, it’s been gaining in popularity over the last year, they just actually recently celebrated their one year anniversary. Because TikTok merged with Musical.ly last year, and Musical.ly was a really popular platform as well. And earlier this year, they reached a milestone of 1 billion monthly active users, which is a pretty tremendous feat in the consideration that Instagram also recently, as of last year, crossed the 1 billion monthly active user mark. So if you think about how prevalent and popular Instagram is, you can definitely see that TikTok is just as popular, if not more popular, especially with the younger crowd. LO: Right for sure. And I feel like I keep seeing new research about scams that are hitting Instagram and Twitter and other social media platforms, but not so much TikTok. Is this the first time the platform has been scrutinized as a threat attack surface for potential scammers or attackers? SN: Well, so through our research, I found some historical references to some of these scams back on Musically, but it wasn’t until TikTok really exploded in popularity that scammers started to take notice of it being a legitimate platform for them to leverage for scams. So, in our research, I started looking into TikTok security back in March of this year. And what ended up coming across my feed were three types of scams, adult dating base scams, impersonation account scams, and then “get free followers and likes” scams, which is tried and true, one of the oldest scams in the book. LO: That definitely seems like those are prevalent on other platforms. But in terms of TikTok, which one of those three categories would be the most popular would you say? SN: Well, I think the most popular is definitely impersonation scams. That’s just because it’s really easy to do. All you have to do is essentially download videos of say popular TikTok creators like Salice Rose, or Baby Ariel, or Liza Koshy or if you’re regionally in another part of the world, you know, popular singers, like they have Neha Kakkar, or Salman Khan, who’s one of the biggest bollywood actors in the world. So taking their videos, either from TikTok directly if they’re on the platform, or from say Instagram and repurposing them on TikTok in order to gain followers. LO: So what would the end goal for that be for the scammers? Would it be essentially free followers and likes at the end of the day? SN: Yeah, so in the case of impersonation scams, the idea is rather than organically developing your own following, you’re taking advantage of an existing creator. So in this case, like Salice Rose, who’s a creator, has been around since the Vine days, also makes YouTube videos, leveraging her videos, claiming them to be your own, and then using a username that has some funky characters in there that look like they spell Salice Rose, but they’re a little bit different. And then, once you’ve developed enough of a following, what ends up happening as an impersonator in the case of Salice Rose, for example, you sort of tease to your followers who know you’re not really Salice Rose, that you’re going to reveal your true identity. And then you post the video with your real identity, say with an existing like TikTok sound, for example. And then you reveal yourself and then in some cases, you might even use the TikTok Live feature in order to sort of have a live conversation with some of your followers. And then ultimately, the goal is then to pivot from that impersonation account to your own personal account. So you’ll do this by changing all videos, by pulling down all the existing videos, changing the profile picture, but one quirk on TikTok that’s really interesting is is that you cannot change your TikTok username for 30 days. So once you change your name, you have to keep that name for 30 days. So if you claim to be the official Salice Rose, you’re gonna have to wait 30 days before you can change that username. LO: And you were mentioning to in the research that this isn’t just direct impersonation of the celebrity or TikTok celebrity. It’s also with fan pages or even second accounts that may be created. Or even you know, as you mentioned before Bollywood celebrities who may not even have an account. So it seems like it’s pretty rampant in that regard. SN: Yeah, and the most fascinating thing about the whole notion of like a backup or second account is that some people might not even question it, because in some ways, there’s this idea that maybe your primary account could be taken down. So you’ll have a secondary account, which is not like a unique phenomenon with TikTok, it’s something we’ve seen on other platforms, too. But what’s most fascinating to note about the TikTok research that we did was, there’s an example in the report, talking about Liza Koshy, who has over 14 million followers on TikTok, someone created a backup account for Liza Koshy, and that account also got verified by TikTok, which is pretty absurd if you think about it, because the primary Liza Koshy account is already verified. So you have two accounts that are verified. So for users, there’s a bit of confusion, like is this really that account like belonging to Liza Koshy, but what we found in our research was, if you go into the videos, they’re all repurposing content from the primary Liza Koshy account, the real one. And then they’re also promoting like another account. So they’re promoting a third account, trying to drive users to follow that account. So that’s the value there, they may never pivot that Liza Koshy backup account to their own personal one, but they’re leveraging the 400,000 plus followers that they have to try to gain followers on the third account. LO: That’s pretty surprising that a second account could be verified, because I feel like the mitigation here would be to check to make sure the account is verified that may be impersonating the celebrity or whatnot. So it really makes me question or at least think more about the vetting process that goes behind some of these accounts on TikTok, for sure. SN: And like you mentioned about the fact that there are also impersonators of those who may not even have a TikTok, that’s another issue that really doesn’t take notice, because you have users looking at these accounts and actually interacting with them, thinking to themselves, they’re actually interacting with that person, even though it’s not them, it’s another person impersonating them trying to drive traffic to their own personal account. LO: And when these scammers are driving that traffic to their own account, is there any advantage there behind gaining more followers or whatnot? Is there any sort of monetary value there? Is it more you know, for status and kind of having that type of popularity on their account? SN: Yeah, it’s really just about developing a following without actually putting in the work, right, normal creators on TikTok and other platforms have to create unique content that actually appeals to a wide swath of people. But in this case, all you’re doing is taking content from an existing creator, or popular celebrities, and then leveraging that in order to drive followers to the third account by saying, “hey, follow my friend so and so” when in actuality you are just promoting yourself. LO: Can you talk a little bit about also the other category that you touched upon in your research, which is that theme of adult dating and how scammers are using this category to trick end users on the platform as well – What did you find there? SN: Yeah, you know, adult dating theme scams have been around for a while, and it makes sense that they would percolate towards TikTok as it got popular. So in the case of TikTok scams, relating to adult dating, what we’ve seen are stolen videos from other platforms like Instagram, and Snapchat, posted on profiles, and what they’re doing these scammers is that they’re driving users to a different platform, they’re saying, “hey, check me out on Snapchat, or add me on Snapchat,” to see more explicit content in a way. And I surmise the reason for that is, in order to actually have people messaging you directly on TikTok, you need to provide a telephone number. So it’s possible that scammers don’t actually want to take that step in this case, and they’re just wanting to bypass that whole process and driving users to Snapchat. And when users from TikTok move to Snapchat by saying, you know, looking up that user from TikTok, they’ll be presented with sexually suggestive content or explicit content, saying, “Hey, you know, follow me here, if you want to see me naked on a camera, or if you want to hook up,” and then they direct them to what’s called a pre-lander page, or an intermediary page, which is used to drive users to the adult dating website. And essentially, the purpose for this is to ensure that there’s like an affiliate tag. So if you’re familiar with affiliate programs that are used by most e-commerce platforms, you basically give a cut to the person driving traffic to your website. So in the case of adult dating, when you direct someone to the adult dating website, if that user signs up, you’ll learn a cut of about $1 to $3 of that sign up. LO: It seems like there’s a dual purpose here, which is, as you were saying, this affiliate program to drive that kind of cost per action revenue, and then also tricking users to pay for fraudulent premium Snapchat accounts on the other end of the spectrum as well. It sounds like there’s kind of two things that are going into there. SN: Yeah, that one was very interesting, because that’s like a recent phenomenon that I’ve observed over the last, maybe two or three weeks or so – is that they’re moving away from the affiliate model and going directly to this concept of a premium Snapchat account, which is a real thing that’s been around for a while where Snapchat users who want to invite folks to view their more not safe for work content, will ask them to pay monthly fees, which could vary between $10 to $20 a month, depending on on the person and the platform. So scammers see that opportunity and what they’re doing is that they’re mimicking it. So they’re claiming to offer a premium Snapchat account where they’re going to show more explicit material. And then they’re asking users to go through PayPal, and pay them anywhere from $10 to $20. And essentially, what’s going to end up happening is once you end up paying that $10 or $20, you won’t get the premium content that you’re expecting. And the scammers will be getting more than the $1 to $3 that they would have gotten through the affiliate program. LO: With these figures that you’re talking about, in terms of the popularity of some of these dating scams accounts that you were tracking, you said that one that you saw, received over 34,000 likes and had over 12,000 followers. I mean, that could be extremely lucrative for a scammer in this case. SN: Yes, most definitely. And especially because, once again, when users are on the TikTok platform, they may or may not believe that the person they’re interacting with is the person that they’re claiming to be. So in the case of the adult dating scam accounts, you have users who comment on videos making suggestive comments back to the scammers. So obviously, there’s an interest there on the part of the users, which serves the whole purpose of the the ecosystem, right? You’re getting users to engage with your content, and then potentially sending them to Snapchat. And then from there, potentially turning them into an affiliate payout or a “premium Snapchats subscriber,” even though they’re not going to get what they’re looking for. LO: You mentioned earlier that the typical TikTok end user here would be kind of a younger audience, what might that have to do with how much of an issue this might be? Do you think that the younger audiences are more or less aware of this type of scam? SN: Well, I think in the case of this one, signing up for an adult dating website, there’s no limitations, right? They’ll ask you, “are you over the age of 18?” And as you know, anyone can just say, “Yes, I’m over the age of 18,” there’s no way to verify you’re over the age of 18. So getting any user to sign up for it is really simple. So it doesn’t matter if you’re below the age of 18, or over the age of 18. For an adult dating website, users will still be able to sign up for the platform, where you might have an issue is, there’s a certain type of lead called a premium lead, where you convert a user who signs up for an adult dating website into a premium subscriber. And that requires the user to provide a credit card number in order to sign up for the service. And in that case, if the user ends up providing a credit card number, the scammers could make up to maybe $50 to $60 for premium subscribers, so that’s the most lucrative payout. But on average, most of the payouts that they receive are for just generally driving users to these websites and getting them to sign up. So while the intention is to get anyone to sign up, the goal is to basically get anybody to sign up, it doesn’t matter how old they are. So even though TikTok might skew towards a younger audience, there’s no controls in place to prevent a younger user for signing up for one of these adult dating websites. LO: I’m curious too what top tips you would have for TikTok users to kind of watch out for these scams, because some of them are pretty sneaky. I mean, changing one letter in a username in order to impersonate an account is pretty hard to spot. What are some of the top tips you might have? SN: Well, I mean, obviously, you know, when you’re looking for users on TikTok, the verified creator badge would be one of the things you’d look for. But as we’ve reported in our research, that’s not always reliable indicator, because you have the case of the Liza Koshy impersonator, who managed to get verified. So it really just boils down to parsing through the content, looking at comments, because there are other users on the platform who do identify these scam accounts and say, “You’re not the real Liza Koshy, you’re not the real Salice Rose.” And you know, that usually is a good way to kind of gauge whether or not you’re interacting with the real account. And I think obviously too one of the other way to notice it, is you have like the Liza Koshy account, which has 14 million followers. That’s obviously a pretty good indicator that that’s going to be the real account. And then also just looking for telltale signs of what impersonation scams might look like. For the example of the Salice Rose impersonator, they start posting their own video content eventually. So you’ll have a mix of Salice Rose content or the original creator’s content, as well as scammer’s content. So when you see that that’s obviously a huge red flag. And in the other case… of Liza Koshy impersonator when they’re trying to drive you to follow other users, that’s usually a sign that you’re not dealing with the real person. Because the whole emphasis there is to get users to follow their third account. LO: Those are good tips. And just taking a step back. These scam and fake accounts are such an issue on social media platforms across the board, whether it’s Instagram or Twitter, and just the sheer number and types of scams to from you know, we’ve all seen scams around buying different types of Bitcoin or cryptocurrency to these types of adult dating scams that you’ve mentioned as well. So I have to ask, what do you think that these social media platforms can do – if anything – to kind of scrape away these types of fake accounts? Is the Report button really going to be enough? Is this just something that we need to deal with for the long term future? SN: Well, the Report button definitely helps. Because the more people reporting these accounts, the more likely they are to get taken down, which is really helpful for the platform to kind of take away all of the the fact that these cameras are so prevalent on all these platforms, whether it be TikTok, Instagram, Twitter, Snapchat – the reporting functionality is the users’ best bet. The platforms themselves, they do a really good job, and they do their best to try to deal with it. But the problem, Lindsey, is that scammers are relentless. When they see the popularity of platforms like Instagram and TikTok with 1 billion monthly active users, they see the potential to monetize that. And they’re going to continue need to hammer those platforms as best as they can. They’re going to find ways around some of the automated detection that might be placed all down their accounts, they might do things like alter the profile photos in a certain way, or, like you mentioned earlier with the usernames, use different usernames. We’ve also done research around Instagram scams recently that we published about a month ago, which talked about some of the methods that scammers are using to bypass some of the detection methods in place by Instagram, for example. So I think as long as these platforms exist, and there are billions of users using them, you’re going to have scammers. It’s just sort of part of using these platforms. So at the end of the day, it’s a combination of the users who are on the platform plus the folks on the abuse and security team working in tandem to do their level best and try to deal with this stuff. LO: Well hopefully reports like yours will better educate users to caution them for what to look out for. So it’s definitely a threat will be watching out for in the coming months, especially as TikTok grows even more popular. So let’s wrap the show up now Satnam thank you again for coming to talk to us about your new research today. SN: It was my pleasure, Lindsey. Thanks for having me. LO: Great. Thanks. And once again. This is the Threatpost podcast. Catch us next week for our next episode.

Source