Cybersecurity researchers have uncovered a sophisticated phishing campaign designed to compromise TikTok for Business accounts using advanced adversary-in-the-middle (AitM) techniques. The operation, identified by Push Security, highlights how attackers are evolving their tactics to bypass modern security defenses.
Business Accounts Become High-Value Targets
Accounts linked to social media platforms are increasingly attractive to cybercriminals. Once compromised, these accounts can be misused for malicious advertising campaigns and malware distribution.
Experts note that TikTok has previously been exploited to spread harmful content. Attackers often use deceptive videos and social engineering strategies to trick users into downloading malware such as Vidar, StealC, and Aura Stealer. These threats are frequently disguised as tutorials or activation guides for popular tools.
How the Attack Chain Works
The campaign typically begins with a malicious link delivered through phishing messages. Victims are redirected to fake websites that imitate TikTok for Business or even job-related platforms like Google Careers.
In some cases, users are encouraged to schedule a call, making the scam appear legitimate. However, before accessing the phishing page, users must pass a verification step powered by Cloudflare Turnstile.
This mechanism is used strategically to block automated security scanners, ensuring that only real users reach the malicious login page. Once there, the AitM phishing kit captures login credentials, session cookies, and even multi-factor authentication codes in real time.
Malicious Infrastructure Behind the Campaign
Researchers identified several domains hosting the phishing pages, including:
- welcome.careerscrews[.]com
- welcome.careerstaffer[.]com
- welcome.careersworkflow[.]com
- welcome.careerstransform[.]com
- welcome.careersupskill[.]com
- welcome.careerssuccess[.]com
- welcome.careersstaffgrid[.]com
- welcome.careersprogress[.]com
- welcome.careersgrower[.]com
- welcome.careersengage[.]com
These domains are designed to appear professional and trustworthy, increasing the likelihood of user interaction.
Parallel Campaign Uses SVG Files for Malware Delivery
In a separate but related development, researchers from WatchGuard discovered another phishing operation targeting users in Venezuela.
This campaign uses SVG file attachments disguised as invoices or financial documents. When opened, these files connect to external URLs that download malware onto the victim’s system.
Attackers also use URL-shortening services to redirect victims from legitimate domains to malicious destinations. The final payload is a Go-based malware strain showing similarities to BianLian ransomware.
Security experts warn that even seemingly harmless file formats like SVG can be weaponized in modern cyberattacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
