Key Findings

• Push Security identified a new AITM phishing campaign targeting TikTok for Business accounts to hijack them for malvertising and fraud

• Attackers use fake TikTok and Google-themed pages with Cloudflare Turnstile bot protection to bypass security scanners

• Newly registered domains are created rapidly and hosted behind Cloudflare, making them difficult to track

• Compromised accounts are used for malvertising, credential theft, malware distribution, and ad fraud

• Many users log in via Google, meaning a single compromise can expose both TikTok and Google accounts

• The campaign likely spreads via targeted emails, building on tactics from earlier Google-themed scams

Background

This latest phishing operation continues a pattern of attackers targeting social media business accounts. TikTok for Business accounts are particularly valuable targets because they control advertising budgets and can reach millions of users. The platform itself has a history of being abused for spreading malicious links, infostealer malware, crypto scams, and direct messaging attacks. Earlier iterations of similar credential phishing campaigns were flagged in October 2025, suggesting this is an evolving threat rather than a new concept.

Campaign Mechanics

The attack chain uses multiple layers of deception to appear legitimate. Victims click a link that initially redirects from a legitimate Google Storage site, creating false credibility. The page then presents either a TikTok for Business or Google Careers "Schedule a call" interface asking for basic information. After users provide details, they're shown a malicious login page powered by an AITM phishing kit designed to capture credentials.

The Cloudflare Turnstile CAPTCHA check serves a dual purpose: it appears to add legitimacy while actually blocking automated security analysis tools and bots from detecting the phishing pages.

Infrastructure and Tactics

Attackers registered multiple domains following a consistent naming pattern, all hosted behind Cloudflare. Domains identified include welcome.careerscrews[.]com, welcome.careerstaffer[.]com, and others following the "welcome.careers" prefix structure. These domains are spun up and rotated extremely quickly, making traditional indicators of compromise nearly useless for detection and blocking.

Attack Impact and Value

Compromised TikTok for Business accounts unlock several profitable opportunities for attackers. They can run malicious advertisements, conduct ad fraud by diverting company advertising budgets for personal profit, harvest additional credentials, and distribute malware. The value multiplies when users log in through Google, as a single compromise grants access to both platforms and potentially other connected services.

Detection Challenges

The report notes that short-lived indicators of compromise provide limited value against modern phishing attacks. Attackers rotate infrastructure so quickly and dynamically serve different URLs to different visitors that traditional threat intelligence becomes stale almost immediately. This forces defenders to focus on behavioral detection and user awareness rather than blocking specific domains or URLs.

Sources

• https://securityaffairs.com/190058/security/new-aitm-phishing-wave-hijacks-tiktok-business-accounts.html

• https://thehackernews.com/2026/03/aitm-phishing-targets-tiktok-business.html

• https://www.facebook.com/cybernewscom/posts/a-new-phishing-campaign-is-targeting-tiktok-business-usersphishing-tiktok/1539975074804845/

• https://pushsecurity.com/blog/tiktok-phishing

• https://www.facebook.com/groups/2600net/posts/4508292436060513/

• https://www.reddit.com/r/blueteamsec/comments/1s4viq6/business_tiktok_accounts_targeted_with_aitm/