New AiTM Phishing Campaign Targets TikTok for Business Accounts

Severity: High (Score: 64.5)

Sources: Infosecurity-Magazine, Computing, Securityaffairs.Co, Bleepingcomputer

Summary

A recent phishing campaign has emerged, specifically targeting TikTok for Business accounts. Cybercriminals have registered multiple adversary-in-the-middle (AiTM) phishing pages on March 24, 2026, using a common naming convention linked to welcome.careers*[.]com. These pages are hosted behind Cloudflare and utilize the Nicenic International Group registrar, known for bulk phishing registrations. Victims are lured through a legitimate Google Cloud Storage URL, which redirects them to malicious pages that impersonate TikTok and Google Careers. Users are prompted to fill out a form before being directed to a fake login page designed to capture credentials and session cookies. This campaign exploits the common practice of logging into TikTok using Google single sign-on, potentially compromising both accounts. The scope of the attack is significant, as TikTok for Business accounts are used by companies to manage advertising campaigns, making them attractive targets for malvertising and ad fraud. Push Security has linked this campaign to previous phishing efforts targeting Google Ad Manager accounts. The situation remains active as the number of malicious domains is expected to increase. Key Points: • A new phishing campaign targets TikTok for Business accounts using AiTM techniques. • Malicious pages impersonate TikTok and Google Careers, capturing user credentials. • The campaign exploits Google SSO, risking both TikTok and Google accounts for victims.

Key Entities

• Phishing (attack_type)
• AITM Phishing Campaign (campaign)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• CapCut (platform)
• Google Careers (platform)
• Google Cloud Storage (platform)
• Google SSO (platform)
• Google Storage (platform)