TikTok for Business accounts targeted in phishing campaign — here's how to stay safe

News
By published

Be careful not to click any shady links

Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
(Image credit: Shutterstock / janews)
  • Push Security uncovers phishing campaign targeting TikTok Business accounts
  • Attackers use Google Storage links and AITM kits to steal credentials, cookies, and MFA codes
  • Compromised accounts exploited for fraudulent ad campaigns and infostealer distribution via fake TikTok content

If your business is running a TikTok account, be careful - hackers are going after your login credentials with a sophisticated phishing attack.

A new report from Push Security outlines a campaign which most likely starts with a phishing email. Although this is not confirmed, Push found a malicious link that routes victims through a legitimate Google Storage URL to appear trustworthy, before redirecting to one of almost a dozen malicious landing pages, all registered with the same shady registrar (Nicenic International Group, allegedly commonly abused for bulk phishing domain registration).

When the victim clicks the link, a Cloudflare Turnstile check is first triggered to block security bots, after which the victim is shown a fake landing page. This page mimics either TikTok for Business, or sometimes Google Careers. They are then asked to fill out a basic form (for scheduling a call, or similar), and later redirected to a fake login page.

Article continues below

Stealing both TikTok and Google

The login page is actually an Adversary-in-the-Middle (AITM) phishing kit acting as a reverse proxy, capturing login details and session cookies in real time. Furthermore, the kit also allows the attacker to steal MFA codes, work around them, and gain full access to people’s accounts.

The problem is further exacerbated for people who use Google’s single sign-on feature, since they give away access to both platforms, and allow the attackers to run fraudulent ad campaigns through their (vetted) accounts, and using their funds:

“It’s worth pointing out too that many/most business users will opt to “log in with Google.”

This means that anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go, opening up the typical Google Ad Manager exploitation playbook — as well as accessing any further apps accessible via SSO for data theft and extortion,” Push explained.

“This has become the standard MO for attackers, in campaigns such as the Scattered Lapsus$ Hunters AITM phishing spree earlier this year, and their recent spate of device code phishing attacks.”

Weird choices

supprimer compte TikTok

Is TikTok a "weird choice" of attack? (Image credit: Future)

The researchers also said that while it makes sense to target Google accounts - TikTok was a “weird choice at first glance”. However, knowing how TikTok’s been historically abused, with great success, changed their perspective.

What they’re referring to is the fact that there are plenty of fake instruction videos on TikTok. They’re saying that there are countless AI-generated and otherwise manipulated clips on the platform, where users are explained to to “activate” Windows, or turn on “hidden”, “premium”, or bonus features for Spotify, CapCut, and other apps, tools, and services.

The descriptions of these fake instruction videos often come with download links, where victims think they’ll be getting these premium tools for free. However, what they’re actually getting are infostealers - Vidar, StealC, Aura Stealer, and many others, are powerful tools that can exfiltrate login credentials, cryptocurrency wallet data, cookies and session tokens, and much, much more.

One such video, Push Security says, has more than 500,000 views and more than 20,000 likes.

Another way of abusing TikTok is to promote fake campaigns through “influencers” and other popular individuals, such as Elon Musk, or Michael Saylor. These campaigns often invite people to register accounts on fraudulent cryptocurrency exchanges, or otherwise “invest” their money into scam projects.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.