- Push Security uncovers phishing campaign targeting TikTok Business accounts
- Attackers use Google Storage Links and AITM kits to steal credentials, cookies, and MFA codes.
- Compromised accounts exploited for fraudulent advertising campaigns and information distribution via fake TikTok content
If your business runs a TikTok account, be careful: hackers are going after your login details with a sophisticated phishing attack.
A new report from Push Security describes a campaign that most likely begins with a phishing email. Although unconfirmed, Push found a malicious link that routes victims through a legitimate Google Storage URL to appear trustworthy, before redirecting them to one of nearly a dozen malicious landing pages, all registered with the same questionable registrar (Nicenic International Group, which was reportedly commonly used for mass phishing domain registration).
When the victim clicks on the link, a Cloudflare Turnstile check is first triggered to block security bots, after which the victim sees a fake landing page. This page mimics either TikTok for Business or sometimes Google Careers. They are then asked to fill out a basic form (to schedule a call, or similar) and then redirected to a fake login page.
Article continues below
Steal from both TikTok and Google
The login page is actually an Adversary-in-the-Middle (AITM) phishing kit acting as a reverse proxy, capturing login information and session cookies in real time. Additionally, the kit also allows the attacker to steal MFA codes, bypass them and gain full access to people’s accounts.
The problem is further exacerbated for people who use Google’s single sign-on feature, as it provides access to both platforms and allows attackers to run fraudulent ad campaigns through their (verified) accounts and use their funds:
“It’s also worth pointing out that most business users will choose to ‘sign in with Google.’
This means that anyone using Google to log into their TikTok account will effectively have both accounts used to serve ads compromised in one go, opening up the typical Google Ad Manager playbook – as well as access to all other apps accessible via SSO for data theft and extortion,” Push explained.
“This has become standard operating procedure for attackers, in campaigns such as Scattered Lapsus$ Hunters’ AITM phishing spree earlier this year, and their recent wave of device code phishing attacks.”
Strange choices
The researchers also said that while it makes sense to target Google accounts, TikTok was an “odd choice at first glance.” However, knowing how TikTok has been historically abused, very successfully, has changed their perspective.
What they are referring to is the fact that there are many fake instructional videos on TikTok. They say there are countless AI-generated and otherwise manipulated clips on the platform, in which users are asked to “activate” Windows or enable “hidden,” “premium” or bonus features for Spotify, CapCut and other apps, tools and services.
The descriptions of these fake instructional videos are often accompanied by download links, where victims believe they will get these premium tools for free. However, what they actually get is information stealers – Vidar, StealC, Aura Stealer and many others, are powerful tools that can exfiltrate login credentials, cryptocurrency wallet data, cookies and session tokens, and much more.
According to Push Security, one of these videos has over 500,000 views and over 20,000 likes.
Another way to abuse TikTok is to promote fake campaigns through “influencers” and other popular individuals, like Elon Musk or Michael Saylor. These campaigns often invite people to create accounts on fraudulent cryptocurrency exchanges, or to “invest” their money in fraudulent projects.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
