New campaign targets TikTok for Business accounts

Accounts are vulnerable even with MFA

Criminals are targeting TikTok for Business accounts using session-stealing phishing kits.

Companies can use the TikTok for Business platform to manage their marketing efforts on the social network, with tools for advertising, analytics, and content creation. It has more than 225,000 brand users, according to the most recent available stats.

Businesses understandably want to advertise to TikTok’s 1.9 billion users – but with great reach comes great risk, to misquote Uncle Ben. Threat actors want to leverage that exposure for malvertising campaigns, ad fraud and distributing malicious content; it’s why social media accounts belonging to influencers, politicians and CEOs are under near-constant attack.

Push Security has detected a wave of adversary-in-the-middle (AITM) phishing pages designed to hijack TikTok for Business accounts. Each page was registered on the same date (24^th March), and all within nine seconds. They are hosted on Cloudflare with the same registrar, Nicenic International Group, which Push notes is “commonly abused for bulk phishing domain registration.”

Each page shares a common naming convention (a derivative of welcome.careers*[.]com, like welcome.careersstaffgrid[.]com or welcome.careersupskill[.]com), tricking users into clicking a malicious link. These links direct them to either a cloned TikTok for Business page, or a cloned Google Careers “schedule a call” page.

Image

Description

An example of a cloned TikTok for Business page. Image: Push Security

After filling in some basic information, the victim reaches a malicious login page that actually fronts a reverse proxy AITM phishing kit designed to capture credentials and session cookies.

Because the page acts as an intermediary between the legitimate user and the service, threat actors can hijack accounts even with multi-factor authentication in use.

Push Security could not determine the attack’s original delivery mechanism, but believes it to be linked to a similar campaign observed last October.

Push also notes that many business users use the “log in with Google” option to sign in to TikTok. Anyone doing so whose details are compromised is thus exposing both their TikTok and Google accounts to malicious activity.