A new wave of credential theft campaigns shows how AitM phishing TikTok Business accounts are being targeted using advanced evasion tactics that bypass traditional security controls.
Security researchers from Push Security have uncovered a sophisticated phishing operation designed to hijack TikTok for Business accounts, which are increasingly valuable for cybercriminals due to their role in advertising and brand promotion. These accounts can be weaponized for malvertising, fraud campaigns, and large scale malware distribution.
The attack begins with social engineering. Victims are lured into clicking malicious links that redirect them to fake pages impersonating either TikTok for Business or job related portals such as Google Careers. These pages often include prompts like scheduling a call, making them appear legitimate and business relevant.
A key innovation in this campaign is the use of Cloudflare Turnstile checks, which are designed to distinguish human users from bots. Threat actors exploit this mechanism to block automated security scanners, ensuring that only real users are shown the malicious phishing interface.
Once past this layer, victims are presented with an adversary in the middle phishing page. Unlike traditional phishing, this technique acts as a reverse proxy between the victim and the legitimate login service. As users enter their credentials, session cookies, and even multi factor authentication codes, attackers capture them in real time, effectively bypassing MFA protections.
Researchers noted that TikTok has increasingly become a cybercrime vector. The platform has previously been abused to distribute malicious links and social engineering content, including videos that trick users into downloading infostealers such as Vidar, StealC, and Aura Stealer.
The infrastructure behind the campaign also reflects a high level of automation. Multiple phishing domains were registered within seconds and hosted behind the same network services, indicating coordinated deployment. These domains typically follow a consistent naming pattern and are used to rotate attack surfaces quickly, making detection and takedown more difficult.
Another concerning aspect is the risk tied to single sign on. Many business users access TikTok through Google accounts. If compromised, attackers can gain access not only to TikTok but also to connected services such as email, cloud storage, and advertising platforms, amplifying the potential damage.
Parallel research has also identified a separate phishing campaign using SVG attachments to deliver malware in targeted regions, further highlighting how attackers are diversifying delivery methods and exploiting less scrutinized file formats.
The rise of AitM phishing TikTok Business accounts underscores a broader shift in cyber threats toward identity based attacks that exploit trust rather than system vulnerabilities. As attackers continue to refine evasion techniques and leverage legitimate infrastructure, organizations must adopt stronger verification practices, enforce phishing resistant authentication, and improve user awareness to defend against increasingly sophisticated credential theft campaigns.
Recommended Cyber Technology News:
- Dell and HP Launch Quantum-Resistant Security for Devices
- Device Code Phishing Attack Hits 340+ Microsoft 365 Orgs
- ESW Introduces Cybersecurity Maturity Model Certification (CMMC) 2 Safety Net Compliance Application
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
