Threat actors are targeting TikTok for Business accounts with a phishing campaign that uses Cloudflare Turnstile checks and Google Storage-hosted pages to evade security bots. Attackers use NiceNIC-registered domains and reverse-proxy fake login pages to capture credentials and session cookies, enabling account takeover even when 2FA is active. #TikTokForBusiness #PushSecurity
Keypoints
- Threat actors target TikTok for Business accounts to facilitate malvertising, ad fraud, and the spread of malicious content.
- The campaign uses Cloudflare Turnstile checks to block bots and prevent automated analysis of malicious pages.
- Malicious domains were registered via NiceNIC and hosted in a common Google Storage bucket.
- Phishing pages impersonate TikTok for Business and Google Careers, using a reverse proxy to steal credentials and session cookies and bypass 2FA.
- Because many business users sign in via Google SSO, compromised credentials can lead to simultaneous takeover of TikTok and Google accounts, so users should verify domains and use passkeys.