THREAT actors are using adversary-in-the-middle (AitM) phishing pages to grab TikTok for Business credentials, according to Push Security. The campaign begins by steering victims to lookalike pages or sites impersonating Google Careers, both designed to prompt a Cloudflare Turnstile check to deter automated analysis, after which a malicious AitM login page is served to steal credentials.
The phishing pages are hosted on domains including welcome.careerscrews[.]com, welcome.careerstaffer[.]com, welcome.careersworkflow[.]com, welcome.careerstransform[.]com, welcome.careersupskill[.]com, welcome.careerssuccess[.]com, welcome.careersstaffgrid[.]com, welcome.careersprogress[.]com, welcome.careersgrower[.]com, welcome.careersengage[.]com, and welcome.careerscrews[.]com.
A prior credential phishing iteration was flagged by Sublime Security in October 2025, with emails masquerading as outreach messages used as part of the social engineering tactic. The campaign has been described as using AitM techniques to seize control of TikTok for Business accounts, with the broader aim of enabling malvertising and malware distribution.