Threat actors are actively targeting **TikTok** for Business accounts in a sophisticated phishing campaign designed to bypass security bots and harvest credentials. These accounts are highly valuable due to their potential for abuse in malvertising campaigns, ad fraud, and the distribution of malicious content. **Push Security**, a browser threat detection and response company, has linked this campaign to similar activity observed last year, which targeted **Google** Ad Manager accounts. ### Phishing Tactics Victims are lured to **Cloudflare**-hosted phishing pages, registered on March 24 via NiceNIC, a registrar often associated with cybercriminal activities. The initial delivery mechanism remains unclear, but **Push Security** suspects a similar approach to that reported by **Sublime Security**, involving impersonation. The attack flow involves: 1. An initial link redirects via a legitimate **Google** Storage URL. 2. A **Cloudflare** Turnstile check is used to block bot analysis. 3. Redirection to malicious phishing pages. The domains used share similar names and are all hosted on the same **Google** Storage bucket. Examples include: * welcome.careerscrews[.]com * welcome.careerstaffer[.]com * welcome.careersworkflow[.]com * welcome.careerstransform[.]com * welcome.careersupskill[.]com * welcome.careerssuccess[.]com * welcome.careersstaffgrid[.]com * welcome.careersprogress[.]com * welcome.careersgrower[.]com * welcome.careersengage[.]com * welcome.careerscrews[.]com ### Credential Harvesting and 2FA Bypass The malicious pages impersonate **TikTok** for Business and **Google** Careers "Schedule a Call" pages. Visitors are prompted to enter basic information to validate their business email address.  *Collecting basic information in a first validation step* *Source: Push Security* Following this initial step, victims are presented with a fake login page, functioning as a reverse proxy. This proxy captures credentials and session cookies, exfiltrating them to the attacker. Critically, this method allows attackers to hijack accounts even when two-factor authentication (2FA) is enabled.  *The TikTok themed (top) and Google (bottom) phishing pages* *Source: Push Security* ### Dual Account Compromise **Push Security** highlights that many business account holders log into **TikTok** using **Google** single sign-on (SSO). This means that compromising the **Google** account through the phishing attack can simultaneously compromise the associated **TikTok** account, enabling attackers to distribute ads through both platforms. ### Recommendations Users should exercise extreme caution with unsolicited invites and job offers. Always verify the domain before entering credentials and consider using passkeys for enhanced account security.