A phishing campaign has recently been detected that puts the accounts of TikTok for Business, and it's not just an attack: those responsible have designed the scam so that the automated security tools can't analyze the malicious pages and thus go unnoticed longer.
According to the team that discovered the operation, the trickery starts with links that redirect to legitimate resources - in this case, to Google's cloud storage - and from there chain to pages hosted by the attacker himself. This first step is important because it offers an initial sense of confidence to the user and hides the trace directly to the malicious server. Fake pages reproduce official forms - such as those asking to program commercial calls - and request basic data to "verify" that the visitor uses a company account.
The trap becomes more dangerous in the next step: After that initial verification, the victim is presented with a screen that looks like the actual login form. That screen actually acts as an inverse proxy: real-time intermediate between the user and the legitimate service, captures credentials and session cookies, and sends them to the attacker. The result is that even access protected by authentication of two factors can be abducted, because the attacker can complete the session by taking advantage of the connection.
The researchers who have analyzed the campaign have identified a family pattern: the domains used follow variations with similar names and share the same cloud storage container. In addition, domain records were made through a registrar who in other incidents has appeared in criminal activities. To expand the technical analysis and the verified findings, the technical report published by the campaign's discoverers on the blog of Push Security which connects this operation to tactics observed in previous campaigns.
Another key part of the modus operandi is the use of anti-bot checks integrated into the redirection chain. Technologies like Cloudflare Turnstile allow to distinguish between human browsers and automatic scanning tools; attackers are using them to prevent automatic defenses and researchers from accessing malicious pages, which complicates early detection.
There is also a dangerous link between services: many TikTok for Business accounts allow you to log in by starting a single Google session (SSO). If a user manages his TikTok account with Google's credentials, compromising Google's access can allow the attacker to simultaneously control TikTok's ad and content account. This vector amplifies the damage, because company accounts are especially valuable for milling campaigns, advertising fraud and the spread of scams with legitimate appearance.
The pattern observed in this campaign reminds other suplantations that have used pages that mimic call programming processes or recruitment to deceive people. A detailed analysis of a similar case that abused pages of job offers and the redirection chain can be read in the report published by sublime Security which shows how the variants can be constantly multiplied and adjusted to avoid detections.
For managers and managers of advertising and social media accounts, this raises several alarm signals. Company accounts have more scope and public credibility, so they are a natural goal for those who seek to distribute malicious content or manipulate advertising campaigns. The attackers do not only seek to steal passwords: they seek to take control of channels that they can then use in large-scale fraud schemes.
As for practical recommendations, simple but strong measures should be taken: maintaining a skeptical attitude towards unexpected links, carefully checking the domain before introducing any credential and distrusting communications that request to verify accounts or schedule calls through unverified forms. In addition, organizations should prioritize phishing-resistant authentication methods, such as password-based credentials and FIDO / WebAuthn keys, which drastically reduce the effectiveness of reverse proxies. Google and other platforms already offer guides to adopt paskeys and other modern authentication mechanisms; Google's documentation on passkeys can be a good starting point: how to use passkeys.
It is also recommended to segment roles and permissions in advertising accounts to minimize impact if a credential is compromised, monitor with abnormal session detection tools and educate teams about the most common traps in job offers and "commercial invitations." For general resources on how to avoid phishing and what steps to take after detecting an attempt, the official agency guides provide useful and up-to-date advice, for example the publications of the CISA.
In short, we are facing a campaign that combines social engineering with technical techniques to block automated inspection and steal sessions in real time. The most solid recommendation is to combine human caution with modern authentication and security policies on ad platforms because this significantly reduces the area of attack and makes it difficult to exploit high-value accounts for criminals.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...