AiTM Phishing - New Campaign Targets TikTok for Business
Basically, scammers are tricking TikTok users into giving away their login info.
A new AiTM phishing campaign is targeting TikTok for Business accounts using Google-themed login pages. This poses significant risks for marketing teams managing ads. Stay alert and protect your accounts from these scams.
What Happened
Cybercriminals have launched a new Adversary-in-the-Middle (AiTM) phishing campaign specifically targeting TikTok for Business accounts. Push Security uncovered this wave of phishing pages on March 24, all registered within a mere nine seconds. The pages, hosted behind Cloudflare, employ a common naming convention, featuring variations of welcome.careers. This indicates a coordinated effort to exploit TikTok's platform for malicious purposes.
These phishing pages are designed to mimic legitimate TikTok and Google login interfaces. When users click on the phishing links, they are first redirected through a legitimate Google Cloud Storage site, creating an illusion of safety. This tactic is similar to previous phishing campaigns that have successfully deceived users into providing sensitive information.
Who's Being Targeted
The primary targets of this campaign are TikTok for Business accounts, which are often managed by company marketing teams. These accounts play a crucial role in managing advertising campaigns on the platform. The targeting of TikTok is particularly notable because most phishing attempts typically focus on Single Sign-On (SSO) platforms like Google and Microsoft.
Interestingly, TikTok has a history of being exploited for malicious activities. The platform has been used to distribute harmful links and social engineering tactics. Many users opt to log in using their Google accounts, which means that if a TikTok account is compromised, the associated Google account may also be at risk. This could potentially lead to a Google Ad Manager exploitation chain, further amplifying the threat.
Signs of Infection
Victims of this phishing campaign will encounter a series of steps that seem legitimate but ultimately lead to a malicious login page. Initially, users must fill out a basic information form before being redirected to the phishing page. This page is disguised as a login interface, utilizing a reverse proxy AiTM phishing kit to capture user credentials.
To make detection more difficult, the phishing sites employ a Cloudflare Turnstile check. This feature is designed to block security bots from analyzing the page, allowing the phishing operation to operate under the radar. Users should be cautious of any unsolicited login requests, especially those that appear to be from TikTok or Google.
How to Protect Yourself
To safeguard against this new wave of phishing attacks, users should take several proactive measures. First, always verify the URL of the login page before entering any credentials. Legitimate sites will have secure URLs, typically starting with https://.
Additionally, enable two-factor authentication (2FA) on all accounts, particularly those linked to social media and advertising. This adds an extra layer of security, making it more difficult for attackers to gain unauthorized access. Educating yourself and your team about the signs of phishing can also help reduce the risk of falling victim to these scams. Stay vigilant and report any suspicious activity to your IT department or security team.
Infosecurity Magazine