A new and concerning phishing campaign is actively targeting TikTok for Business accounts, employing advanced adversary-in-the-middle (AitM) techniques to bypass security measures and steal user credentials. This sophisticated operation leverages Cloudflare's Turnstile bot detection to appear legitimate, making it harder for automated systems and human users to identify the malicious intent.

Key Takeaways

• Threat actors are using AitM phishing pages to compromise TikTok for Business accounts.

• The campaign bypasses Cloudflare Turnstile, a bot detection service, to evade automated analysis.

• Compromised accounts can be weaponized for malvertising, ad fraud, and malware distribution.

• The phishing pages impersonate both TikTok for Business and Google Careers.

• The attack can potentially hijack accounts even with two-factor authentication enabled.

The Evolving Threat Landscape

Cybercriminals are increasingly targeting business accounts on social media platforms due to their potential for monetization through malicious advertising and malware distribution. TikTok, in particular, has a history of being exploited for spreading malicious links and social engineering tactics, often disguised as guides for software activation.

This latest campaign begins by luring victims with deceptive links. These links redirect users to pages that either mimic the official TikTok for Business interface or impersonate Google Careers pages, often with an option to schedule a call. The underlying goal remains the same: to capture sensitive login credentials.

Bypassing Security Measures

A critical aspect of this campaign is its ability to circumvent Cloudflare Turnstile. By successfully passing this bot detection mechanism, the phishing pages present a more convincing facade, making it difficult for security tools to flag them. Following this initial check, victims are presented with a malicious AitM phishing login page designed to steal their usernames and passwords.

The phishing pages are hosted on a series of domains that share similar naming conventions, all pointing to the same Google Storage bucket. These domains include variations like , , and , among others.

The Impact on Business Accounts

When victims enter their credentials on these fake pages, the threat actor can capture not only the login information but also session cookies. This allows for account hijacking, even if two-factor authentication (2FA) is enabled. Furthermore, many business account holders use Google Single Sign-On (SSO) for TikTok. This means a successful compromise of a Google account used for TikTok login could lead to the compromise of both accounts, significantly increasing the attacker's reach and capabilities.

Security experts advise users to exercise extreme caution with unsolicited invitations and job offers, especially those containing links. Always verify the domain name before entering any credentials and consider using passkeys for enhanced account security.

Sources

• AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion, The Hacker News.

• TikTok for Business accounts targeted in new phishing campaign, BleepingComputer.