Cybercriminals Unleash Sophisticated Phishing Campaign Against TikTok Business Accounts
Date: March 27, 2026
A highly sophisticated phishing campaign is currently targeting TikTok for Business users, aiming to hijack corporate accounts for malvertising, ad fraud, and malware distribution. First documented by cybersecurity firm Push Security, this new wave of attacks utilizes advanced evasion techniques to bypass standard security filters and steal credentials, session cookies, and multi-factor authentication (MFA) codes.
Here is what you need to know about this emerging threat and how to protect your organization.
Why Target TikTok Business Accounts?
Cybercriminals are increasingly shifting their focus toward corporate social media and advertising accounts because of their immense reach and inherent legitimacy. A compromised TikTok for Business account provides attackers with a goldmine:
Ad Fraud & Malvertising: Hackers can launch their own fraudulent ad campaigns using the victim's attached payment methods.
Malware Distribution: Hijacked accounts can be exploited to distribute infostealers or cryptocurrency scams to a broad audience under the guise of a trusted brand.
How the Attack Works
This campaign stands out due to its multi-layered approach to evading detection. The attack typically follows this "kill chain":
The Phishing Lure: The attack likely begins with a phishing email containing a malicious link.
To appear trustworthy and bypass email security gateways, the initial link points to a legitimate Google Storage URL. Evading Security Bots: Once a victim clicks the link, they are not immediately taken to the phishing page. Instead, they hit a Cloudflare Turnstile check. This step is specifically designed to block automated security scanners and bots from analyzing the final destination.
The Fake Landing Page: After passing the human verification check, the victim is redirected to a malicious landing page. Push Security noted that these pages often impersonate "TikTok for Business" or "Google Careers" portals. They usually ask the user to fill out a basic form (e.g., to "schedule a call") to confirm they are using a corporate email address.
Adversary-in-the-Middle (AITM) Theft: Finally, the user is pushed to a fake login portal. This portal is actually an AITM phishing kit acting as a reverse proxy. When the victim enters their username, password, and even their MFA code, the kit intercepts and steals the data in real-time, granting the attackers full access to the account.
Note: Security researchers have observed that many of the malicious domains used in this campaign (e.g., welcome.careerscrews[.]com) were recently registered in bulk via NiceNIC, a registrar historically abused for cybercriminal activities.
How to Protect Your Business
Because this campaign uses AITM kits capable of bypassing traditional MFA, standard security advice is not always enough. Here are the best steps to secure your TikTok Business account:
Implement FIDO2/Hardware Security Keys: Phishing-resistant MFA, such as physical security keys (e.g., YubiKey), is the most effective defense against AITM attacks. Unlike SMS or authenticator app codes, hardware keys cannot be intercepted by proxy sites.
Scrutinize URLs: Always double-check the URL in your browser before entering credentials.
Legitimate TikTok business logins will always be hosted on official TikTok domains. Beware of Unusual Prompts: If an email pressures you to act immediately, schedule an urgent call, or verify your account credentials, treat it with extreme caution.
Audit Account Roles: Regularly review the users who have access to your TikTok Business Center.
Ensure that employees only have the minimum privileges necessary for their roles (the Principle of Least Privilege) and remove inactive users immediately
0 Comments