Threat actors are employing sophisticated adversary-in-the-middle, or AitM, phishing techniques to hijack TikTok for Business accounts, according to a new cybersecurity report. The campaign, identified by researchers at Push Security, bypasses common security measures to steal login credentials and account access. This development poses a significant risk to businesses leveraging the platform for marketing and customer engagement.
Mechanics of the AitM Attack
The attackers create deceptive phishing pages that mimic the official TikTok for Business login portal. These pages are designed to intercept user credentials in real time. The scheme’s technical sophistication lies in its use of Cloudflare Turnstile, a service intended to block bots, to evade detection and appear more legitimate to potential victims.
When a user enters their login information on the fraudulent page, the AitM infrastructure captures the credentials. It then forwards them to TikTok’s genuine servers, allowing the attackers to log into the victim’s account while the user is simultaneously logged in. This seamless process makes it difficult for the target to realize they have been compromised.
Value of Compromised Business Accounts
Business accounts on major social media platforms are considered high-value targets for cybercriminals. Once control is obtained, these accounts can be repurposed for malicious activities. This includes distributing malware through advertisements, a practice known as malvertising, or launching further phishing campaigns from a trusted business profile.
Such compromises can lead to financial loss, reputational damage for the affected company, and security risks for its customers and followers. The credibility of a verified business account makes malicious content posted from it far more persuasive and dangerous.
Historical Context and Platform Abuse
Push Security’s report notes that TikTok’s platform has been abused by threat actors in the past to distribute malicious software. The current campaign represents an escalation, moving from distributing malware to actively seizing control of administrative accounts. This shift indicates a strategic focus on the long-term access and authority that business accounts provide.
The use of AitM phishing, once primarily aimed at financial services, is becoming more common against technology and social media platforms. This method is effective because it defeats two-factor authentication, 2FA, by capturing the session cookies after a legitimate login.
Recommendations for Account Security
Security experts advise several measures to protect business accounts from such advanced threats. Organizations should enforce the use of phishing-resistant multi-factor authentication, such as physical security keys, for all social media administrators. Employee training to recognize sophisticated phishing attempts is also critical.
Regular monitoring of account access logs for unfamiliar devices or locations can provide early warning of a compromise. Companies are also encouraged to use dedicated, secure devices or browser profiles for managing high-value social media accounts to limit exposure.
Ongoing Response and Future Outlook
Push Security has notified TikTok’s security team about the campaign details. The cybersecurity community anticipates that platform defenders will work to identify and block the infrastructure used in these attacks. However, the adaptable nature of AitM phishing means similar campaigns are likely to target other platforms in the future.
Security analysts expect to see continued innovation from threat actors targeting business and advertising accounts across all major social networks. Companies are advised to treat their social media credentials with the same level of security as their corporate email and financial systems to mitigate this evolving threat.
Source: Push Security
