AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion
hamla jdida dial Phishing (AitM) katsitdef TikTok for Business b-sti3mal Cloudflare Turnstile bbash t-khaba
New AitM Phishing Campaign Targets TikTok for Business via Cloudflare Turnstile Evasion
TL;DR
Threat actors are deploying Adversary-in-the-Middle (AitM) phishing attacks to hijack TikTok for Business accounts. By using Cloudflare Turnstile to block security scanners and impersonating legitimate platforms like Google Careers, attackers are bypassing traditional defenses to steal credentials and session tokens.
A new wave of sophisticated phishing attacks is targeting high-value social media accounts. According to a recent report from Push Security, threat actors are now utilizing Adversary-in-the-Middle (AitM) techniques specifically to seize control of TikTok for Business accounts.
These accounts are a primary target for cybercriminals because they provide a powerful platform for malvertising and the distribution of malware. Once compromised, these business accounts can be used to run deceptive ad campaigns or spread malicious links to a massive audience under the guise of a legitimate brand.
The Evolution of the Campaign
This is not the first time this specific threat has surfaced. Sublime Security previously flagged an earlier iteration of this credential phishing campaign in October 2025. That version primarily relied on social engineering through emails masqueraded as professional outreach messages.
Historically, TikTok has been a fertile ground for the distribution of infostealers such as Vidar, StealC, and Aura Stealer. Attackers have previously used "ClickFix-style" instructions and AI-generated videos—often disguised as activation guides for popular software like Windows or Spotify—to trick users into compromising their systems.
Attack Vector: Lookalike Pages and Fake Job Offers
The current campaign begins with a malicious link designed to lure victims into a trap. Researchers have identified two primary decoys used to bait users:
- TikTok for Business Impersonation: A lookalike page that replicates the official TikTok business portal.
- Google Careers Impersonation: A page designed to look like a job opportunity at Google, even offering victims the option to "schedule a call" to discuss the role.
Evading Detection with Cloudflare Turnstile
One of the most notable technical aspects of this campaign is the use of Cloudflare Turnstile. Before the phishing page is revealed, the victim must complete a CAPTCHA-like check.
While this appears to be a standard security measure to the user, its actual purpose is to serve as a defensive barrier against security tools. By requiring a manual interaction, the attackers effectively block bots and automated security scanners from crawling and analyzing the malicious content of the AitM page. Once the check is cleared, the victim is presented with the AitM login page designed to intercept credentials and session cookies in real-time.
Identified Malicious Domains
Push Security has identified several domains associated with this campaign. Most follow a pattern related to "careers" to support the Google job-offer ruse:
welcome.careerscrews[.]comwelcome.careerstaffer[.]comwelcome.careersworkflow[.]comwelcome.careerstransform[.]comwelcome.careersupskill[.]comwelcome.careerssuccess[.]comwelcome.careersstaffgrid[.]comwelcome.careersprogress[.]comwelcome.careersgrower[.]comwelcome.careersengage[.]com
Broader Phishing Trends: SVG Malware in Venezuela
In a separate but related development, researchers at WatchGuard have observed a different phishing tactic involving Scalable Vector Graphics (SVG) files.
Targeting users in Venezuela, these attacks use SVG attachments disguised as invoices or receipts. When opened, these files communicate with a remote URL to download a Go-based malware. Interestingly, this malware shares overlaps with BianLian ransomware samples. The attackers utilize URL shorteners (specifically ja.cat) and exploit redirect vulnerabilities on legitimate domains to mask the origin of the malware.
Conclusion
The shift toward AitM attacks and the use of legitimate services like Cloudflare Turnstile to hide malicious scripts highlights the increasing sophistication of phishing operations. For businesses, the hijacking of a TikTok account is more than a social media headache—it is a launchpad for broader malware distribution. Organizations are encouraged to monitor for the identified domains and educate employees on the risks of sophisticated social engineering lures, even those appearing on reputable platforms like Google Careers.
Source: The Hacker News - AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion
