TikTok for Business accounts targeted in new phishing campaign

Recorded: March 26, 2026, 3:26 p.m.

Original

News

Featured
Latest

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

HackerOne discloses employee data breach after Navia hack

Firefox now has a free built-in VPN with 50GB monthly data limit

Infinite Campus warns of breach after ShinyHunters claims data theft

TikTok for Business accounts targeted in new phishing campaign

WhatsApp rolls out more AI features, iOS multi-account support

Inside a Modern Fraud Attack: From Bot Signups to Account Takeovers

Coruna iOS exploit framework linked to Triangulation attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityTikTok for Business accounts targeted in new phishing campaign

TikTok for Business accounts targeted in new phishing campaign

By Bill Toulas

March 26, 2026
10:09 AM
0

Threat actors are targeting TikTok for Business accounts in a phishing campaign that prevents security bots from analyzing malicious pages.
TikTok Business accounts may be targeted due to their high potential for abuse in malvertising campaigns, ad fraud, and the distribution of malicious content.
Browser threat detection and response company Push Security links the campaign to one documented last year, which targeted Google Ad Manager accounts.
TikTok has previously been used to spread information-stealing malware via malicious videos, as well as cryptocurrency scams via fake promotions. TikTok for Business accounts are ideal for such purposes due to their increased reach and perceived legitimacy.
In a report shared with BleepingComputer, Push Security says that victims are lured to Cloudflare-hosted phishing pages registered on March 24 via NiceNIC, a registrar often reported by cybersecurity researcher for being used for cybercriminal activities.
Push Security could not determine the initial delivery mechanism, but believes that the threat actor uses a similar method as observed in activity reported by Sublime Security.
The initial link redirects via a legitimate Google Storage URL, blocks bots using a Cloudflare Turnstile check, and then redirects to the malicious pages.
The domains feature similar names, and are all hosted on the same Google Storage bucket:
welcome.careerscrews[.]com
welcome.careerstaffer[.]com
welcome.careersworkflow[.]com
welcome.careerstransform[.]com
welcome.careersupskill[.]com
welcome.careerssuccess[.]com
welcome.careersstaffgrid[.]com
welcome.careersprogress[.]com
welcome.careersgrower[.]com
welcome.careersengage[.]com
welcome.careerscrews[.]com
The malicious pages impersonate TikTok for Business and Google Careers “Schedule a Call” pages, requesting visitors to enter basic information in a form to validate they’re using a business email address.

Collecting basic information in a first validation stepSource: Push Security
After this step, victims are served a fake login page, which is a reverse proxy designed to capture credentials and session cookies, and to exfiltrate them to the attacker.
Since the page acts as an intermediary between the legitimate user and the service, the threat actor can hijack accounts even when the two-factor authentication (2FA) protection is active.

The TikTok themed (top) and Google (bottom) phishing pagesSource: Push Security
Push Security also notes that business account holders often log into TikTok via Google single sign-on (SSO) service. "This means that anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go."
Users should be extremely cautious with suspicious invites and job offers, and never trust links sent from unknown contacts. Always check the domain before entering credentials, and use passkeys to protect valuable accounts.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Dutch govt warns of Signal, WhatsApp account hijacking attacksPhishing campaign targets freight and logistics orgs in the US, EuropeHackers target Microsoft Entra accounts in device code vishing attacksGermany warns of Signal account hijacking targeting senior figuresBubble AI app builder abused to steal Microsoft account credentials

Account Takeover
Adversary-in-the-Middle
AiTM
Phishing
TikTok

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Popular Stories

Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens

New KB5085516 emergency update fixes Microsoft account sign-in

Microsoft Exchange Online service change causes email access issues

Sponsor Posts

Synthetic Identities, Proxies & Real Identities for Sale, is yours next?

Are your AI accounts being sold on the dark web? Check for free.

AI is a data-breach time bomb: Read the new report

Overdue a password health-check? Audit your Active Directory for free

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

This document details a concerning phishing campaign targeting TikTok for Business accounts, orchestrated by threat actors seeking to compromise credentials and potentially spread malicious content. Push Security identified a coordinated effort leveraging deceptive websites mimicking legitimate TikTok and Google Career pages to harvest user information. The campaign’s effectiveness stems from the high value of TikTok for Business accounts – frequently used for malvertising, ad fraud, and the dissemination of harmful content – combined with the platform’s reach and perceived legitimacy.

The initial stage of the attack involves redirection through Cloudflare Turnstile, a security mechanism designed to mitigate bot traffic, highlighting a sophisticated understanding of common security protocols. Victims are directed to domain names closely resembling those of TikTok and Google Careers, prompting them to complete a form requesting basic email verification. This serves as an initial validation step, designed to collect data for subsequent exploitation. Following this, the victims are presented with a reverse proxy login page, engineered to capture credentials and session cookies. Crucially, the attack bypasses standard two-factor authentication (2FA) protections due to the intermediary nature of the proxy.

A significant vulnerability lies in the widespread use of Google Single Sign-On (SSO) for accessing TikTok accounts. This single point of entry allows the threat actor to compromise both the TikTok and Google accounts concurrently, substantially amplifying the potential damage. The threat actors utilize domains registered through NiceNIC, a registrar frequently associated with malicious activity, demonstrating a deliberate selection of infrastructure known for facilitating cybercriminal operations. The sophisticated design of the phishing pages, mimicking legitimate interfaces, further increases the likelihood of successful deception.

Push Security’s report underscores a concerning trend: the exploitation of seemingly legitimate platforms like TikTok for Business to facilitate malicious activities. The attackers’ strategy reflects a broader pattern observed by Sublime Security, utilizing similar techniques in targeting Google Ad Manager accounts. The campaign’s success demonstrates a tactic that can be readily deployed against high-value targets, emphasizing the importance of vigilance and robust security measures. Recommendations include heightened caution when engaging with unsolicited invitations or job offers, a critical evaluation of all links before clicking, and the implementation of security measures such as passkeys to safeguard accounts against compromise, particularly given the inherent risks associated with SSO integrations. The campaign’s deliberate use of Google Storage for hosting reinforces the importance of thorough security audits of cloud infrastructure and the need for organizations to maintain a proactive approach to threat detection and response.