- Push Security uncovers phishing campaign targeting TikTok business accounts
- Attackers use Google Storage links and AITM kits to steal credentials, cookies and MFA codes
- Compromised accounts exploited for fraudulent ad campaigns and information thieves distribution through fake TikTok content
If your business has a TikTok account, be careful: Hackers are going after your login credentials with a sophisticated phishing attack.
A new report from Push Security describes a campaign that likely starts with a phishing email. Although this is unconfirmed, Push found a malicious link that directs victims through a legitimate Google Storage URL to appear trustworthy, before redirecting to one of nearly a dozen malicious landing pages, all registered with the same suspicious registrar (Nicenic International Group, allegedly commonly abused for mass phishing domain registration).
When the victim clicks on the link, a Cloudflare Turnstile check is first triggered to block security bots, after which the victim is shown a fake landing page. This page imitates TikTok for Business or sometimes Google Careers. They are then asked to fill out a basic form (to schedule a call or similar) and are then redirected to a fake login page.
Article continues below.
Stealing both TikTok and Google
The login page is actually an Adversary in the Middle (AITM) phishing kit that acts as a reverse proxy and captures login details and session cookies in real time. Additionally, the kit also allows the attacker to steal MFA codes, fix them, and gain full access to people’s accounts.
The problem is further exacerbated for people who use Google’s single sign-on feature, as they grant access to both platforms and allow attackers to run fraudulent ad campaigns through their (vetted) accounts and using their funds:
“It’s also worth noting that many or most business users will choose to “sign in with Google.”
“This means that anyone who uses Google to log into their TikTok account will effectively have both accounts used to distribute ads compromised at once, opening up the typical Google Ad Manager exploit manual, as well as accessing other applications accessible through SSO for data theft and extortion,” Push explained.
“This has become the standard modus operandi for attackers, in campaigns such as Scattered Lapsus$ Hunters’ AITM phishing spree earlier this year, and its recent series of device code phishing attacks.”
strange choices
The researchers also said that while it makes sense to target Google accounts, TikTok was an “odd choice at first glance.” However, learning how TikTok has historically been abused, with great success, changed his perspective.
What they are referring to is the fact that there are a lot of fake how-to videos on TikTok. They say there are countless AI-generated and otherwise manipulated clips on the platform, telling users to “activate” Windows or activate “hidden,” “premium” or additional features for Spotify, CapCut and other apps, tools and services.
The descriptions of these fake instruction videos often come with download links, where victims believe that they will get these premium tools for free. However, what they are actually getting are information thieves: Vidar, StealC, Aura Stealer, and many others are powerful tools that can leak login credentials, cryptocurrency wallet data, cookies and session tokens, and much, much more.
One of those videos, Push Security says, has more than 500,000 views and more than 20,000 likes.
Another way to abuse TikTok is to promote fake campaigns through “influencers” and other popular people, such as Elon Musk or Michael Saylor. These campaigns often invite people to register accounts on fraudulent cryptocurrency exchanges or to “invest” their money in fraudulent projects.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
