A new adversary-in-the-middle (AitM) phishing campaign is targeting TikTok for Business accounts, leveraging evasion techniques to bypass Cloudflare Turnstile protections, according to a report from Push Security.
Business accounts on social media platforms are particularly lucrative for attackers, as they can be weaponized for malvertising, malware distribution, and credential theft.
How the Campaign Works
The phishing campaign begins by tricking victims into clicking a malicious link. These links lead to:
- Lookalike pages impersonating TikTok for Business.
- Fake Google Careers pages offering fake business opportunities, often including an option to schedule a call.
The phishing pages perform a Cloudflare Turnstile check to block automated scanners and bots. Once verified, the page presents a malicious login form designed to steal user credentials.
According to Push Security, previous iterations of this campaign were flagged by Sublime Security in October 2025, leveraging social engineering emails to lure victims into visiting fake pages.
Known Malicious Domains
The phishing pages are currently hosted on the following domains:
- welcome.careerscrews[.]com
- welcome.careerstaffer[.]com
- welcome.careersworkflow[.]com
- welcome.careerstransform[.]com
- welcome.careersupskill[.]com
- welcome.careerssuccess[.]com
- welcome.careersstaffgrid[.]com
- welcome.careersprogress[.]com
- welcome.careersgrower[.]com
- welcome.careersengage[.]com
Related Malware Campaigns
In parallel, WatchGuard has observed a phishing campaign targeting users in Venezuela using malicious SVG attachments. These files masquerade as invoices, receipts, or budgets and download malware when opened.
- Malicious URLs use the ja.cat URL shortener to redirect to vulnerable legitimate domains.
- The downloaded artifact is a Go-based malware that overlaps with the BianLian ransomware family.
- This demonstrates how even seemingly harmless file types like SVG can be weaponized for malware delivery.
Mitigation and Security Recommendations
To protect business accounts and employees from this campaign:
- Verify URLs carefully before entering credentials, especially for business accounts.
- Enable multi-factor authentication (MFA) for all accounts.
- Educate staff to recognize adversary-in-the-middle phishing pages and suspicious emails.
- Monitor for unusual login activity or alerts from platforms like TikTok.
- Block access to known malicious domains using network or endpoint security tools.
“TikTok has historically been abused to distribute malicious links and social engineering instructions, including infostealers like Vidar, StealC, and Aura Stealer,” Push Security noted.
