Phishing hits TikTok Business
A new phishing campaign is targeting TikTok for Business accounts, exposing sellers and ad managers to credential theft and account takeovers—checklists and 2FA matter more than ever. Security incidents like this change how agencies document account access and vendor roles. (bleepingcomputer.com)
Push Security reported detection and blocking of a cluster of adversary‑in‑the‑middle (AitM) phishing pages aimed at TikTok for Business on March 26–27, 2026; the pages used reverse‑proxy hosts to capture login forms and session cookies in real time. (pushsecurity.com) The campaign hosted pages behind Cloudflare infrastructure and deployed Google‑themed “Schedule a Call” imitation pages and Google Storage redirects to evade automated scanners and sandboxing. (thehackernews.com) (pushsecurity.com) Security analysts say the phishing kit performs live MFA relays that can intercept one‑time codes and session cookies, enabling account takeover even when app‑based or SMS 2FA is active. (cybernews.com) (microsoft.com) Researchers flagged advertisers’ accounts as high‑value targets because a hijacked TikTok for Business account can be used for malvertising, ad fraud, unauthorized ad spend, and propagation of malware—echoing tactics seen in late‑2025 Google ad‑account campaigns. (bitdefender.com) (pushsecurity.com) TikTok’s official guidance instructs advertisers to validate sender domains (tiktok.com or bytedance.com) and lock recovery email/phone details, while incident reports recommend blocking suspicious linked domains and monitoring session activity. (ads.tiktok.com) (pushsecurity.com) TikTok Business Center documents Admin and Standard roles and provides change logs that record time, object, activity and operator details—features agencies can export for audits to enforce least‑privilege vendor access and client‑owned asset patterns. (ads.tiktok.com ads.tiktok.com
