A new AITM phishing wave targets TikTok for Business accounts in order to hijack them for malvertising and fraud, according to Push Security researchers. The campaign uses newly registered domains hosted behind Cloudflare and common naming patterns, redirecting victims from legitimate services to load fake TikTok for Business or Google “Schedule a call” pages.
Users are prompted to enter basic details before encountering a malicious login page powered by an AITM kit, with bot protection designed to evade detection and likely spread via targeted emails. The report describes a process where, on first click, the page is silently redirected from a legitimate Google Storage site before loading, and a Cloudflare Turnstile check is used to block security bots.
By combining trusted branding, redirects and layered deception, attackers harvest credentials for account takeover and advertising fraud, with many users logging in via Google, potentially exposing both TikTok and Google accounts. The campaign also provides Indicators of Compromise (IoCs) for defenders to review, though short-lived IoCs can be of limited value against rapid domain rotation. According to Push Security.