TikTok Business Phishing Campaign: 2FA Bypass Techniques and 2026 Security Solutions
- 4 days ago
- 3 min read
A sophisticated phishing campaign targeting TikTok Business accounts is currently utilizing a multi-stage attack chain involving Google Storage and Cloudflare Turnstile to evade defensive systems. The most critical threat lies in the Adversary-in-the-Middle (AiTM) technique, which enables threat actors to hijack Session Cookies, effectively bypassing Two-Factor Authentication (2FA) without requiring passwords or OTP codes.
Users are strongly advised never to log in via email links and to use only the official TikTok website.
1. The Multi-stage Attack Chain
According to analysis from Push Security, while the initial delivery mechanism remains unconfirmed, evidence suggests adversaries are using methods similar to those reported by Sublime Security. The campaign is notable for its ability to hide from security scanners:
Google Storage Redirection: The initial link in the phishing email leads to a URL hosted on a legitimate Google Storage bucket. This allows the email to bypass Reputation Filters in secure email gateways (SEGs).
Cloudflare Turnstile Shield: Before reaching the landing page, users must pass a Cloudflare bot check. This is a "double-edged sword" tactic, using a security tool to block automated security crawlers from accessing and analyzing the malicious site.
Sophisticated Impersonation: Adversaries do not just mimic TikTok for Business; they also create fake Google Careers "Schedule a Call" pages. Here, they prompt users to fill out forms under the guise of "business email verification" to harvest sensitive data.
2. Why TikTok Business is a High-Value Target
Business accounts contain more than just sensitive data; they are directly linked to international payment methods. Hijacking these accounts allows attackers to:
Unauthorized Ad Spend: Using the corporate budget to promote malicious products or scams.
Lead Data Theft: Harvesting data from active Lead Generation campaigns.
Corporate Extortion: Demanding ransoms to restore account access.
3. Risk Assessment (Rate Attribute)
Evaluation Criteria | Risk Level | Expert Technical Analysis |
Complexity | Very High | Utilizes Reverse Proxy infrastructure to intercept real-time data instead of simple static pages. |
2FA Bypass Capability | Critical | AiTM techniques completely neutralize traditional 2FA methods like SMS OTP or Authenticator apps. |
Detection Probability | Low | Phishing sites use valid SSL certificates and 1:1 UI replicas, making them nearly impossible to distinguish visually. |
Financial Impact | Very High | Attackers can immediately drain advertising budgets linked to corporate credit cards. |
Data Breach Risk | Medium | High risk of losing customer information from ongoing Lead Gen campaigns. |
4. Indicators of Compromise (IoC) & Malicious Domains
All the domains listed below are hosted on the same Google Storage bucket, indicating a consistent, large-scale operation. System administrators should block these domains immediately:
welcome.careerscrews[.]com
welcome.careerstaffer[.]com
welcome.careersworkflow[.]com
welcome.careerstransform[.]com
welcome.careersupskill[.]com
welcome.careerssuccess[.]com
welcome.careersstaffgrid[.]com
welcome.careersprogress[.]com
welcome.careersgrower[.]com
welcome.careersengage[.]com
(Note: These sites often feature fake login buttons where the TikTok login is replaced by a Google login to harvest broader credentials).
5. Direct Recommendations from TikTok
To protect business accounts, users and IT departments must adhere to the following:
Direct Access Only: Never click login links from emails. Always access the TikTok Ads Manager directly via: ads.tiktok.com.
The "3 No's" Rule: TikTok will NEVER ask for your password, OTP, or sensitive info via messages or third-party websites.
Vigilant Verification: Be wary of sudden "Account Verification" requests, even if they appear professional.
Adopt FIDO2/WebAuthn: This is the most effective technical defense against Session Hijacking. Physical security keys (like YubiKey) will not authenticate if the website domain does not match the registered domain exactly.
6. Sustainable Security Solutions for Enterprises
To defend against Cloud-native phishing, IPSIP proposes the following measures:
Block Public Cloud Storage URLs: Implement strict firewall rules against executable files from public storage buckets (Google Storage, AWS S3) unless required for specific workflows.
Passwordless Authentication: Deploy FIDO2 standards to completely eliminate the risk of AiTM/Session Hijacking.
Advanced Email Monitoring: Utilize IPSIP Security Services integrated with AI to analyze the behavior of multi-stage redirect links.
Periodic Vulnerability Assessments: Conduct Penetration Testing for corporate account systems to identify weaknesses in session management.
💡 IPSIP Expert Recommendation: If a compromise is suspected, administrators must immediately execute the "Revoke all active sessions" command within TikTok’s security settings to invalidate all hijacked cookies.
The combination of social engineering and the abuse of trusted infrastructures like Google/Cloudflare marks a new era of adversary sophistication. Businesses must update their IoC lists immediately and enhance awareness for their marketing personnel.
References:
CyberNews: TikTok Business Phishing Attack Bypasses 2FA
BleepingComputer: TikTok for Business accounts targeted in new phishing campaign.
Comments