New AITM phishing wave hijacks TikTok Business accounts

AndyC 28 March 2026

New AITM phishing wave hijacks TikTok Business accounts

New AITM phishing wave hijacks TikTok Business accounts

New AITM phishing wave hijacks TikTok Business accounts

New AITM phishing wave hijacks TikTok Business accounts

Pierluigi Paganini
March 27, 2026

A new AITM phishing campaign targets TikTok Business accounts to hijack them for malvertising, continuing tactics seen in earlier Google-themed scams.

Push Security researchers uncovered a new wave of AITM phishing pages targeting TikTok for Business accounts, aiming to hijack them for malvertising. The campaign includes TikTok and Google-themed fake pages, showing links to previous operations. Once compromised, accounts are used to run malicious ads, steal credentials, spread malware, and conduct ad fraud, diverting company advertising budgets for profit.

Attackers used newly registered domains created within seconds and hosted behind Cloudflare. The pages follow a common naming pattern and redirect victims from legitimate services before loading fake TikTok for Business or Google “Schedule a call” pages.

Users are asked to fill in basic details, then shown a malicious login page powered by an AITM phishing kit. The campaign uses bot protection to evade detection and likely spreads via targeted emails, similar to past operations.

“When the link is first clicked, the page is silently redirected from a legitimate Google Storage site before loading the page.” reads the report published by Push Security. “A Cloudflare Turnstile check is used to prevent security bots from analyzing the page, before loading either a TikTok or Google themed page. Progressing through the forms ultimately serves up an AITM phishing page.”

By combining trusted branding, redirects, and layered deception, attackers increase success rates and harvest credentials for further abuse, including account takeover and fraud.

While phishing campaigns usually mimic platforms like Google or Microsoft, targeting TikTok is becoming more common.

The platform has long been used to spread malicious links and social engineering content, including videos that trick users into installing infostealers like Vidar or StealC. It is also widely abused for crypto scams and direct attacks via messages. Gaining access to TikTok business accounts is especially valuable, as they can be used for malvertising and fraud.

Many users log in via Google, meaning a single compromise can expose both TikTok and Google accounts, enabling broader abuse such as ad fraud, data theft, and access to other connected services.

The report also includes Indicators of Compromise (IoCs) for this campaign.

“Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to quickly spin up and rotate the sites used in the attack chain, often dynamically serving different URLs to site visitors.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TikTok)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

More Stories

CISA and BSI warn orgs of critical PTC Windchill and FlexPLM flaw

CISA and BSI warn orgs of critical PTC Windchill and FlexPLM flaw

AndyC 28 March 2026
U.S. CISA adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog

AndyC 28 March 2026
Reflecting on Your Tier Model: CVE-2025-33073 and the One-Hop Problem

China-linked Red Menshen APT deploys stealthy BPFDoor implants in telecom networks

AndyC 27 March 2026
U.S. CISA adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog

AndyC 27 March 2026
Coruna exploit reveals evolution of Triangulation iOS exploitation framework

Coruna exploit reveals evolution of Triangulation iOS exploitation framework

AndyC 27 March 2026

Start your Cybersecurity career for Free – Highly Effective 2016

AndyC 27 March 2026

You may have missed

New AITM phishing wave hijacks TikTok Business accounts

New AITM phishing wave hijacks TikTok Business accounts

AndyC 28 March 2026
CISA and BSI warn orgs of critical PTC Windchill and FlexPLM flaw

CISA and BSI warn orgs of critical PTC Windchill and FlexPLM flaw

AndyC 28 March 2026
Iran-Linked Threat Group Hacks FBI Director Kash Patel’s Personal Email

BSidesSLC 2025 – LLM-Assisted Risk Management For Small Teams & Budgets

AndyC 28 March 2026
Reflecting on Your Tier Model: CVE-2025-33073 and the One-Hop Problem

Apple’s Email Privacy Tool Tested in FBI Threat Case, Exposing Limits of Anonymity

AndyC 28 March 2026
What Is CIAM? A Complete Guide to Customer Identity and Access Management in 2026

What Is CIAM? A Complete Guide to Customer Identity and Access Management in 2026

AndyC 28 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.