A Coordinated Attack on Digital Advertisers
Security researchers have spotted a fresh and highly coordinated phishing operation. The target? TikTok for Business accounts. This campaign uses a sophisticated Adversary-in-the-Middle (AiTM) technique, where attackers secretly intercept communication between a user and a legitimate service.
Push Security identified a cluster of malicious pages all registered within a mere nine-second window on March 24. The technical precision suggests an automated, large-scale attack is underway. These pages are cleverly hidden behind Cloudflare’s infrastructure and registered through Nicenic International Group, a registrar notorious for hosting bulk phishing domains.
How the TikTok Phishing Trap Works
The attack begins with a deceptive link, likely delivered via a convincingly crafted email. While the exact delivery method isn’t confirmed, it mirrors a previous campaign that used fake Google Careers pages. Clicking the link sends you on a brief detour through a legitimate Google Cloud Storage site—a trick to build false trust—before landing on the malicious page.
To evade automated security scanners, the site first presents a Cloudflare Turnstile check. Once past this gate, victims see a professional-looking page themed around either TikTok or Google careers. The process seems normal: fill out a basic form, then proceed to login.
That login page is the heart of the scam. It’s not a real TikTok page but a reverse proxy. As you enter your credentials, the AiTM kit silently captures them and forwards them to the actual TikTok server, logging you in seamlessly. You might not notice anything is wrong, but the attackers now have full access to your account.
Why TikTok for Business is a Lucrative Target
At first glance, TikTok seems an unusual focus for cybercriminals. Most phishing kits aim for universal Single Sign-On (SSO) platforms like Google or Microsoft. So why the shift?
TikTok for Business accounts are the digital wallets for company advertising. Marketing teams use them to fund and manage campaigns, often with significant budgets attached. Compromising one of these accounts is like stealing the keys to a company’s promotional treasury.
There’s another, more sinister angle. Many users choose “Log in with Google” for their TikTok accounts. A successful phishing attack here can compromise two accounts at once: the TikTok ad manager and the linked Google account. This double breach can trigger an exploitation chain. Attackers could hijack Google Ad Manager accounts to run malicious advertising (malvertising) or drain funds from both platforms.
The Bigger Threat Landscape
This campaign didn’t emerge from a vacuum. TikTok’s platform has a history of being abused by threat actors. It’s been a distribution channel for infostealer malware, often disguised in “ClickFix” style tutorials with AI-generated videos posing as software activation guides.
The platform is also a known hunting ground for cryptocurrency scammers. By targeting the business and advertising side, attackers are simply following the money upstream. They’re moving from scamming individual users to directly attacking the corporate financial mechanisms on the platform.
The domains used in this attack follow a predictable pattern, like variations of welcome.careers*[.]com. Security experts warn this list will almost certainly grow as the campaign expands. For any team managing social media advertising, vigilance is no longer optional—it’s a critical business defense.
