The “Invisible Challenge” on TikTok encourages users to pose naked, relying on a filter to cover up the NSFW content.
Sure, it’s slightly more scandalous than the app’s typical dance trends and lip-synching challenges. But the real danger lies in the users utilizing the trend to spread malware according to cybersecurity firm Checkmarx, which recently discovered that hackers have hijacked the trend in order to steal victims’ personal information.
Yesterday, Checkmarx found that two TikTok accounts that have since been deleted were directing people to a Discord server named "Space Unfilter" that had 32,000 members before it was removed. Once there, the hackers instructed individuals to download a specific software that promised to reveal unfiltered versions of the content. But instead of seeing nudes, the link shared a WASP—information-stealing malware that can access passwords, crypto wallets and credit card information—hidden inside lines of code.
Once downloaded, the malware provides hackers with access to victims’ devices where they could harvest information from users’ Discord accounts and access other computer files.
It makes sense that hackers are turning to seemingly innocuous video trends as the latest method to find new victims. TikTok has one billion users and, despite calls to ban the app, it remains the most popular app amongst teens and young adults—people who tend to be vulnerable to these types of scams.
Nonetheless, this isn’t the first time that TikTok has been used in this manner. In February, Microsoft found that attackers were sending deceptive links that would allow them to access sensitive information linked to TikTok accounts on Android devices. And in 2020, hackers were able to push fake videos onto the app by accessing a user’s router, ISP or VPN and altering pre-existing videos. At the time, cybersecurity experts were worried that this flaw would be used to spread misinformation related to the upcoming election. TikTok has since fixed the vulnerabilities that led to both attacks.
Other social media platforms have also been susceptible to these types of attacks. In 2017, Russian hackers used the comment section of a Britney Spears Instagram photo to share a malware link. Three years later, hackers were able to spy on Instagram users by sending them malicious images via Instagram DM. And in October, Meta found that over 400 apps designed to steal Facebook login information were disguised as photo editors or games.
This latest incident, however, comes at a time when cybersecurity experts are warning of potential ways in which large-scale tech layoffs could leave users more vulnerable to hackers.
According to Checkmarx, however, this latest approach to collect personal information indicates that “attackers have become increasingly clever.” Regardless of the platform, it's important for users to be wary of unidentified links—no matter how enticing the promised content may be.
- How the Red Chickz and Other LA Restaurants Are Turning Up the Heat on TikTok ›
- Kim Kardashian’s Crypto Fine Chills Celeb Shills' Spines ›
- A Content Creator's Guide To Navigating 'Finfluencers' On TikTok ›
- How To Protect Yourself From the Latest Venmo Transaction Scam ›
- In 2023, Consumers Will Take Back Control of Their Data - dot.LA ›