ACCORDING to Push Security, cybercriminals have deployed a new wave of AiTM phishing pages aimed at TikTok for Business accounts, with registered pages appearing on 24 March within a nine-second window. The cluster of pages were all hosted behind Cloudflare with the same registrar, Nicenic International Group, which Push Security says is commonly abused for bulk phishing domain registrations.
The pages use a common naming convention, being various derivations of welcome.careers[.]com, and the threat is expected to grow as the campaign ramps up. When clicked, the link initially redirects through a legitimate Google Cloud Storage site before loading the malicious page, and the site employs a Cloudflare Turnstile check to prevent security bots from analysing it.
Victims are asked to complete a basic information form before being served a malicious login page that fronts a reverse proxy AiTM phishing kit, with TikTok for Business or Google-themed content appearing along the way.