Phishing Campaign Hijacks TikTok Business Accounts for Malvertising and Ad Fraud
What Happened – Push Security uncovered a new AITM‑phishing wave that lures TikTok for Business users to counterfeit login pages. The attackers register short‑lived domains, hide behind Cloudflare, and use Google‑styled redirects to harvest credentials, then weaponize the accounts for malicious advertising, ad‑fraud, and malware distribution.
Why It Matters for TPRM –
- Compromised TikTok Business accounts can divert corporate advertising spend and expose connected Google credentials.
- Credential theft expands the attack surface to other SaaS services used by the same identity (e.g., Google Workspace).
- The rapid domain turnover makes traditional IoC‑based blocking ineffective, increasing detection complexity for third‑party risk teams.
Who Is Affected – Companies that run paid campaigns on TikTok, digital‑marketing agencies, and any organization that links TikTok Business accounts to Google services.
Recommended Actions –
- Review all vendor contracts that include TikTok advertising spend or integration with TikTok APIs.
- Enforce MFA on TikTok Business and linked Google accounts; rotate credentials regularly.
- Deploy anti‑phishing email gateways and user‑training focused on “login‑page” impersonations.
- Monitor ad‑spend anomalies and set alerts for unusual campaign creation or budget changes.
Technical Notes – The attack chain uses:
- Attack vector: Phishing emails with links that redirect through a legitimate Google Storage URL, then pass a Cloudflare Turnstile check before serving a fake TikTok or Google “Schedule a call” page.
- Infrastructure: Domains registered seconds before use, hosted behind Cloudflare, employing short‑lived URLs that rotate frequently.
- Payload: AITM phishing kit that captures TikTok Business credentials; harvested accounts are later used for malvertising, credential reuse on Google services, and ad‑fraud.
Source: SecurityAffairs – New AITM phishing wave hijacks TikTok Business accounts