Full Report
Threat actors are using adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report from Push Security. Business accounts associated with social media platforms are a lucrative target, as they can be weaponized by bad actors for malvertising and distributing malware. "TikTok has been historically abused to distribute
Analysis Summary
# Tool/Technique: AitM Phishing for TikTok Business Accounts
## Overview
Threat actors are utilizing Adversary-in-the-Middle (AitM) phishing frameworks to compromise TikTok for Business accounts. By inserting a proxy server between the victim and the legitimate TikTok login service, attackers can intercept credentials and session cookies in real-time, effectively bypassing standard Multi-Factor Authentication (MFA). These compromised accounts are subsequently weaponized for malvertising and the distribution of infostealers.
## Technical Details
- **Type:** Technique (Adversary-in-the-Middle) / Phishing Campaign
- **Platform:** Web-based (SaaS Platforms including TikTok and Google Careers)
- **Capabilities:** Real-time credential harvesting, session cookie theft (MFA bypass), automated bot detection evasion.
- **First Seen:** Campaign iteration flagged October 2025; current TikTok-specific variant reported March 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1557 - Adversary-in-the-Middle]
- [T1111 - Two-Factor Authentication Evasion]
- **[TA0007 - Discovery]**
- [T1589.002 - Gather Victim Identity Information: Email Addresses]
- **[TA0001 - Initial Access]**
- [T1078.004 - Valid Accounts: Cloud Accounts]
## Functionality
### Core Capabilities
- **AitM Proxying:** Acts as a transparent proxy between the victim's browser and the legitimate service to capture data in transit.
- **Session Stealing:** Captures authenticated session tokens/cookies, allowing attackers to hijack accounts without needing to re-authenticate via MFA.
- **Lookalike Branding:** Employs sophisticated impersonation of TikTok for Business and Google Careers portals to establish trust.
### Advanced Features
- **Anti-Analysis (Cloudflare Turnstile):** The phishing sites integrate Cloudflare Turnstile to verify users via CAPTCHA-like challenges. This is used to block automated security scanners and "headless" browsers from analyzing the malicious content.
- **Open Redirect Exploitation:** Uses legitimate domains with open-redirect vulnerabilities to mask the final destination of malicious links.
## Indicators of Compromise
### Network Indicators (Defanged)
- welcome.careerscrews[.]com
- welcome.careerstaffer[.]com
- welcome.careersworkflow[.]com
- welcome.careerstransform[.]com
- welcome.careersupskill[.]com
- welcome.careerssuccess[.]com
- welcome.careersstaffgrid[.]com
- welcome.careersprogress[.]com
- welcome.careersgrower[.]com
- welcome.careersengage[.]com
### Behavioral Indicators
- Unusual authentication events originating from known proxy/hosting provider IP addresses.
- Detection of Cloudflare Turnstile implementation on unauthorized third-party domains.
## Associated Threat Actors
- **Unknown:** Specific group names not identified, but the campaign demonstrates overlaps with tactics used by **BianLian** (specifically the use of Go-based artifacts and SVG-based phishing).
## Detection Methods
- **Behavioral Detection:** Monitoring for "impossible travel" logins and suspicious browser user-agent strings associated with AitM proxy tools.
- **Network Security:** Inspecting for traffic headed to the identified "welcome.careers*" domain pattern.
- **Email Security:** Flagging messages that use SVG attachments or URLs shortened via `ja.cat` which lead to credential-collecting sites.
## Mitigation Strategies
- **FIDO2/WebAuthn:** Implement hardware security keys (like YubiKeys) which are inherently resistant to AitM phishing as they bind the authentication to the specific origin URL.
- **Browser-Based Protection:** Use security extensions that detect and block known AitM phishing infrastructure.
- **Conditional Access:** Restrict login attempts to managed devices or specific geographic IP ranges.
- **User Education:** Train employees to scrutinize URLs, especially when prompted for authentication following a link from an unsolicited email or social media message.
## Related Tools/Techniques
- **ClickFix:** A social engineering technique used to trick users into running malicious commands (previously used to deliver Vidar and StealC).
- **BianLian Malware:** A Go-based threat often delivered via similar phishing chains.
- **Evilginx/Mophish:** Frameworks commonly used to facilitate AitM attacks.