Cybercriminals have recently deployed a new set of phishing pages designed to target TikTok for Business accounts by using TikTok- or Google-themed content.
Push Security said it had identified a new wave of an Adversary-in-the-Middle (AiTM) phishing pages registered on March 24 within a nine-second window.
The cluster of pages were all hosted behind Cloudflare with the same registrar, Nicenic International Group, which Push Security said is commonly abused for bulk phishing domain registration.
The pages feature a common naming convention, being various derivations of welcome.careers*[.]com. The list of malicious domains in this style is expected to grow as the campaign ramps up, according to Push Security researchers.
While the initial delivery mechanism has not been confirmed, Push Security said it is likely similar to a previously identified campaign reported by Sublime in October, which used dynamically generated emails and featured a cloned Google Careers page.
When clicked, the link initially redirects users through a legitimate Google Cloud Storage site before loading the malicious page.
The site employs a Cloudflare Turnstile check to prevent security bots from analyzing the page.
Victims are presented with either TikTok- or Google-themed content. As users progress through the workflow, they are ultimately directed to an AiTM phishing page.
In this instance the victim is required to complete a basic information form before being served with a malicious login page that is in fact fronting a reverse proxy AiTM phishing kit.
Why Threat Actors Target TikTok
TikTok for Business accounts commonly are used by company marketing teams to manage advertising campaigns.
Push Security said the development of targeting TikTok is “notable” given most phishing pages the threat researchers intercept ten to replicate SSO platforms like Google and Microsoft.
“TikTok seems a weird choice at first glance. But it makes more sense when we consider that TikTok has been historically abused to distribute malicious links and social engineering instructions,” Push Security said in a blog published on March 26.
The platform has been used to deliver infostealers via ClickFix-style instruction with AI-generated videos posed as activation guides for Windows, Spotify and CapCut.
The social media platform is also a “common hunting ground” for crypto scammers.
It was noted that since most users will opt to “log in with Google” anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go. This could start a Google Ad Manager exploitation chain where cybercriminals target ad manager accounts to power malvertising scams.
Image credit: JarTee / Shutterstock.com
Facts Only
Cybercriminals deployed new phishing pages targeting TikTok for Business accounts.
The pages were registered on March 24 within a nine-second window.
The domains are hosted behind Cloudflare and registered with Nicenic International Group.
The naming convention for malicious domains follows *welcome.careers*[.]com.
The initial delivery mechanism is unconfirmed but may involve dynamically generated emails.
Victims are redirected through a legitimate Google Cloud Storage site before reaching the phishing page.
The phishing pages use Cloudflare Turnstile to block security bots.
The attack employs an AiTM phishing kit disguised as a login page.
TikTok for Business accounts are used by marketing teams for advertising campaigns.
TikTok has been previously exploited to distribute infostealers and crypto scams.
Compromising a TikTok account linked to Google could enable broader ad manager exploitation.
Executive Summary
Cybercriminals have launched a new phishing campaign targeting TikTok for Business accounts, using AiTM (Adversary-in-the-Middle) techniques. The attack involves phishing pages registered on March 24, hosted behind Cloudflare, and using domains with a naming convention like *welcome.careers*[.]com. These pages mimic TikTok or Google-themed content, redirecting victims through legitimate Google Cloud Storage before presenting a malicious login form. The campaign likely leverages dynamically generated emails, similar to a previous attack reported in October, and employs Cloudflare Turnstile to evade automated analysis.
The focus on TikTok is notable, as most phishing campaigns typically target SSO platforms like Google or Microsoft. TikTok for Business accounts are valuable to attackers due to their use in managing advertising campaigns, which can be exploited for malvertising or crypto scams. Additionally, since many users log in via Google, compromising a TikTok account could also grant access to linked Google accounts, amplifying the attack’s impact. The platform has historically been abused for distributing malware and social engineering schemes, making it a lucrative target for cybercriminals.
Full Take
The strongest version of this narrative highlights a sophisticated evolution in phishing tactics, where attackers exploit the intersection of social media and enterprise tools. The use of AiTM techniques, legitimate infrastructure (Google Cloud Storage), and anti-bot measures (Cloudflare Turnstile) demonstrates a high level of operational security. The focus on TikTok is strategically sound, given its dual role as a marketing platform and a vector for malware distribution. The potential for cascading compromises—where a single phishing success could yield access to both TikTok and Google accounts—underscores the campaign’s efficiency.
Pattern scan: The attack leverages *ARC-0012 False Legitimacy* (using trusted platforms like Google Cloud Storage to bypass suspicion) and *ARC-0034 Platform Exploitation* (targeting TikTok’s dual use as a business and social tool). The rapid registration of domains via a known bulk registrar (*Nicenic International Group*) aligns with *ARC-0041 Infrastructure Abuse*, a common tactic in large-scale phishing operations.
Root cause: This campaign reflects a broader trend of cybercriminals targeting non-traditional enterprise entry points. The assumption that SSO platforms are the only high-value targets is being challenged, as attackers pivot to platforms with embedded financial or advertising ecosystems. Historically, TikTok’s lax moderation and vast user base have made it a fertile ground for scams, and this phishing campaign is a natural extension of that pattern.
Implications: For businesses, the attack underscores the need for multi-factor authentication (MFA) and vigilance against non-email phishing vectors. For users, the risk of credential reuse—especially via "Log in with Google"—creates systemic vulnerability. Second-order effects could include a surge in malvertising or crypto scams, as compromised accounts are repurposed for fraud.
Bridge questions: How might TikTok’s advertising ecosystem be structurally vulnerable to such attacks? What would it take for platforms to detect and mitigate AiTM phishing at scale? If this campaign succeeds, which other non-SSO platforms might become targets?
Counterstrike scan: A coordinated influence campaign would likely amplify fear around TikTok’s security to erode trust in the platform, possibly benefiting competitors or regulators. However, the content here is factual and lacks the hallmarks of manipulation—no emotional exploitation, forced binaries, or authority games. The analysis remains grounded in technical observations, with no signs of narrative distortion.
