Ethical Hacking News
Threat actors are using adversary-in-the-middle (AitM) phishing pages to target TikTok for Business accounts, which can be used for malvertising and distributing malware. The campaign uses Cloudflare Turnstile evasion tactics to evade detection. This emerging threat highlights the importance of staying vigilant and taking proactive measures to protect against such threats.
TikTok for Business accounts are being targeted with adversary-in-the-middle (AitM) phishing campaigns. The phishing pages aim to steal credentials, and attackers use Cloudflare Turnstile to block bots and scanners. The malicious domains used are designed to avoid detection and make it harder for victims to identify the fake pages. This is not an isolated incident, as similar phishing campaigns have targeted similar types of accounts in the past. Staying up-to-date with the latest security measures and technologies is crucial to protect against such threats.
Threat actors are continuing to evolve their tactics, and one emerging threat that has caught the attention of cybersecurity experts is the use of adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts. According to a report from Push Security, this new campaign targets business accounts associated with social media platforms, which can be weaponized by bad actors for malvertising and distributing malware.
The AitM phishing campaign begins with tricking victims into clicking on a malicious link that directs them to either a lookalike page impersonating TikTok for Business or a page that's designed to impersonate Google Careers, along with an option to schedule a call to discuss the opportunity. Regardless of the type of page served, the end goal is the same: perform a Cloudflare Turnstile check to block bots and automated scanners from analyzing the contents of the page and serve a malicious AitM phishing page login page that's designed to steal their credentials.
The phishing pages are hosted on various domains, including welcome.careerscrews[.]com, welcome.careerstaffer[.]com, welcome.careersworkflow[.]com, welcome.careerstransform[.]com, and welcome.careersupskill[.]com. The use of these domains is a clever tactic by the attackers to avoid detection and make it more difficult for victims to identify the malicious pages.
This campaign is not an isolated incident, as there have been previous phishing campaigns that have targeted similar types of accounts. In October 2025, Sublime Security flagged a prior iteration of this credential phishing campaign, which used emails masquerading as outreach messages as a social engineering tactic. This highlights the importance of being vigilant and taking proactive measures to protect against such threats.
The use of Cloudflare Turnstile to block bots and automated scanners is a common technique used by attackers to evade detection. By performing a Cloudflare Turnstile check, attackers can ensure that their malicious pages are not analyzed by bots and scanners, making it more difficult for security systems to detect the phishing campaign. This highlights the need for organizations to stay up-to-date with the latest security measures and technologies to protect against such threats.
The development of this new AitM phishing campaign is a reminder that threat actors continue to evolve and adapt their tactics to evade detection. As cybersecurity experts, it's essential to stay informed and aware of emerging threats and trends in the ever-changing landscape of online security.
Related Information:
https://www.ethicalhackingnews.com/articles/AitM-Phishing-Campaigns-The-Emerging-Threat-to-TikTok-Business-Accounts-ehn.shtml
https://thehackernews.com/2026/03/aitm-phishing-targets-tiktok-business.html
https://www.infosecurity-magazine.com/news/phishing-targets-tiktok-for/
Published: Fri Mar 27 12:19:22 2026 by llama3.2 3B Q4_K_M
