Threat actors have launched a new phishing campaign targeting TikTok for Business accounts, taking advantage of the platform’s high potential for abuse in malvertising campaigns, ad fraud, and distribution of malicious content. Security researchers from Push Security identified that the campaign prevents security bots from analyzing the pages, allowing attackers to operate undetected. The campaign uses a sophisticated attack flow that redirects victims through legitimate Google Storage URLs before serving malicious content hosted behind Cloudflare, which employs Turnstile checks to block automated detection systems.
The phishing pages replicate both TikTok for Business login screens and Google-themed “Schedule a Call” pages, forcing users to submit basic information before encountering a reverse proxy AITM phishing kit. While the initial delivery method remains unclear, it likely involves dynamically generated emails similar to techniques observed in previous campaigns targeting Google Ad Manager accounts. In those campaigns, attackers harvested credentials and deployed ClickFix-style malware, including infostealers and remote access tools, while siphoning advertising budgets through fraudulent campaigns. This continuity suggests a deliberate targeting of platforms with significant business account influence.
TikTok has historically been exploited to spread malicious content, including information-stealing malware and cryptocurrency scams through fake promotions. Attackers are drawn to TikTok for Business accounts due to their credibility and extended reach, and the integration with Google login credentials further expands the attack surface. If business users log in using Google, attackers can gain access to both accounts, opening avenues for ad fraud, data theft, and further compromise of connected applications. Campaigns of this nature leverage social engineering and technical sophistication, reflecting a broader trend of targeting high-value digital assets for financial gain.
Push Security researchers noted that the phishing pages were registered on March 24 through NiceNIC and hosted on Cloudflare, with all domains following a consistent naming convention. The initial cluster includes domains such as welcome.careerscrews[.]com, welcome.careerstaffer[.]com, and welcome.careersworkflow[.]com, among others. Hosted on a single Google Storage bucket, any associated files or linked pages are considered malicious. Organizations using TikTok for Business are urged to exercise caution when receiving unsolicited links, verify login pages carefully, and monitor for unusual activity to mitigate exposure to these sophisticated phishing attacks.
The campaign underscores the growing risks faced by social media business accounts and highlights the need for advanced browser-based security measures. Push Security provides protection against browser-based threats, including AiTM phishing, credential stuffing, malicious extensions, and session hijacking, offering enterprises the ability to proactively identify and mitigate vulnerabilities across applications and services used by employees. This campaign illustrates the evolving tactics cybercriminals employ to exploit trusted platforms for financial and data-related gains.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
