Adversary-in-the-Middle (AiTM) Phishing Campaign Steals TikTok for Business Credentials and MFA

Executive Summary

Security researchers at Push Security have uncovered an ongoing, sophisticated phishing campaign specifically targeting TikTok for Business accounts. The attackers are using Adversary-in-the-Middle (AiTM) phishing kits, which are capable of bypassing multi-factor authentication (MFA) by hijacking user sessions in real-time. The campaign employs clever evasion techniques, including initial redirects from legitimate Google Storage URLs and the use of Cloudflare Turnstile challenges to weed out security bots. A successful attack results in the complete takeover of a business account, which can then be used to run malicious ad campaigns or distribute malware, posing a significant threat to businesses and their customers on the platform.

Threat Overview

This campaign represents a significant evolution from traditional phishing attacks. By using an AiTM framework, the attackers are not just stealing static credentials; they are actively intercepting the entire login process, including the one-time codes used for MFA.

• Target: TikTok for Business accounts, which are valuable for their advertising capabilities and reach.
• Technique: Adversary-in-the-Middle (AiTM) phishing.
• Goal: Full account takeover to conduct fraudulent activities.

Technical Analysis

The attack chain is multi-staged and designed for stealth and effectiveness:

1. Distribution: The attack begins with a malicious link, likely distributed via targeted phishing emails or direct messages.
2. Initial Redirect: To appear legitimate and bypass some email filters, the link first points to a valid storage.googleapis.com URL. This Google Storage page then automatically redirects the victim to the actual phishing site. (T1566.002 - Spearphishing Link)
3. Bot Evasion: The phishing site first presents a Cloudflare Turnstile challenge (a CAPTCHA alternative). This step is designed to ensure a real human is interacting with the site, filtering out automated security scanners and analysis bots.
4. Credential Harvesting: After passing the check, the victim is presented with a pixel-perfect replica of the TikTok for Business login page. The AiTM kit acts as a proxy, forwarding the victim's credentials to the real TikTok site while capturing them. It also intercepts the subsequent MFA prompt and the victim's one-time code or approval.
5. Session Hijacking: Upon successful authentication, the AiTM server captures the session cookie issued by TikTok. This cookie allows the attacker to maintain access to the account even if the password is changed, effectively hijacking the authenticated session. (T1539 - Steal Web Session Cookie)

Impact Assessment

Compromise of a TikTok for Business account can have severe consequences:

• Financial Loss: Attackers can use the account's linked payment methods to run fraudulent advertising campaigns, racking up significant charges.
• Malware Distribution: The compromised account can be used to post TikTok videos that lure users into downloading malware, such as infostealers disguised as cracked software (e.g., Spotify, CapCut).
• Reputational Damage: Malicious activity conducted from a legitimate business account can severely damage the brand's reputation and erode customer trust.
• Loss of Control: The business loses access to its own account, audience, and content.

Detection & Response

• Monitor for Suspicious Logins: Enable and monitor login alerts from TikTok. Look for logins from unusual geographic locations, IP addresses, or device types.
• URL Analysis: Train users to be suspicious of any login page that does not have the correct tiktok.com domain in the address bar. Even if the page looks perfect, the URL is the key indicator. This aligns with D3FEND's URL Analysis (D3-UA).
• Review Active Sessions: Regularly review active sessions in your TikTok account settings and terminate any that are unrecognized.

Mitigation

1. Phishing-Resistant MFA: The most effective mitigation against AiTM attacks is to use phishing-resistant MFA, such as FIDO2-compliant security keys (e.g., YubiKey). These methods cryptographically bind the login to the legitimate domain, making it impossible for a proxy on a different domain to complete the authentication. (M1032 - Multi-factor Authentication)
2. User Training: Educate employees, especially those in marketing and social media roles, about the specific tactics of AiTM phishing. Emphasize the importance of checking the URL before entering credentials and being wary of unexpected login prompts. (M1017 - User Training)
3. Email Security: Use advanced email security solutions that can analyze links and detect redirects to malicious sites, even when they originate from trusted domains like Google's.
4. Restrict Web Content: Use web filtering solutions to block access to newly registered domains and known phishing sites. The domains in this campaign were registered via Nicenic, a registrar often associated with malicious activity.