Cybercriminals have recently deployed a new set of phishing pages designed to target TikTok for Business accounts by using TikTok- or Google-themed content.
Push Security said it had identified a new wave of an Adversary-in-the-Middle (AiTM) phishing pages registered on March 24 within a nine-second window.
The cluster of pages were all hosted behind Cloudflare with the same registrar, Nicenic International Group, which Push Security said is commonly abused for bulk phishing domain registration.
The pages feature a common naming convention, being various derivations of welcome.careers*[.]com. The list of malicious domains in this style is expected to grow as the campaign ramps up, according to Push Security researchers.
While the initial delivery mechanism has not been confirmed, Push Security said it is likely similar to a previously identified campaign reported by Sublime in October, which used dynamically generated emails and featured a cloned Google Careers page.
When clicked, the link initially redirects users through a legitimate Google Cloud Storage site before loading the malicious page.
The site employs a Cloudflare Turnstile check to prevent security bots from analyzing the page.
Victims are presented with either TikTok- or Google-themed content. As users progress through the workflow, they are ultimately directed to an AiTM phishing page.
In this instance the victim is required to complete a basic information form before being served with a malicious login page that is in fact fronting a reverse proxy AiTM phishing kit.
Why Threat Actors Target TikTok
TikTok for Business accounts commonly are used by company marketing teams to manage advertising campaigns.
Push Security said the development of targeting TikTok is “notable” given most phishing pages the threat researchers intercept ten to replicate SSO platforms like Google and Microsoft.
“TikTok seems a weird choice at first glance. But it makes more sense when we consider that TikTok has been historically abused to distribute malicious links and social engineering instructions,” Push Security said in a blog published on March 26.
The platform has been used to deliver infostealers via ClickFix-style instruction with AI-generated videos posed as activation guides for Windows, Spotify and CapCut.
The social media platform is also a “common hunting ground” for crypto scammers.
It was noted that since most users will opt to “log in with Google” anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go. This could start a Google Ad Manager exploitation chain where cybercriminals target ad manager accounts to power malvertising scams.
Image credit: JarTee / Shutterstock.com
