AitM Phishing Campaign Hijacks TikTok Business Accounts via Cloudflare Turnstile Bypass
What Happened – Threat actors deployed adversary‑in‑the‑middle (AitM) phishing pages that deliberately evade Cloudflare Turnstile challenges. The pages capture login credentials for TikTok for Business accounts, allowing the actors to take full control of the accounts and weaponize them for malvertising and malware distribution.
Why It Matters for TPRM –
- Social‑media vendor accounts are a high‑value third‑party asset; compromise can expose brand reputation and downstream customers.
- Credential theft enables malicious content propagation, increasing the risk of supply‑chain infection for any organization that relies on TikTok advertising.
- The use of sophisticated Turnstile evasion shows that standard bot‑mitigation controls may be insufficient, prompting a review of vendor security posture.
Who Is Affected – Brands, advertising agencies, and marketing teams that use TikTok for Business; broader media‑focused enterprises that rely on TikTok for outreach.
Recommended Actions –
- Enforce MFA on all TikTok Business accounts and require hardware‑based tokens where possible.
- Conduct a credential‑reuse audit across all third‑party platforms used by your organization.
- Monitor account activity for anomalous posting patterns or sudden spikes in ad spend.
- Engage TikTok’s security team to confirm the implementation of additional anti‑phishing controls.
Technical Notes – Attack vector: AitM phishing with Cloudflare Turnstile bypass; no known CVE involved. Compromised data: usernames, passwords, and any linked payment or billing information. Source: The Hacker News