TikTok-for-Business Phishing Alert

Push Security’s analysis shows the phishing cluster consisted of domains registered on March 24, 2026 within a nine‑second window and all used Nicenic International Group as the registrar. ( pushsecurity.com ) The attack chain silently redirects victims through a legitimate Google Storage URL, then triggers a Cloudflare Turnstile bot check before loading either a cloned TikTok for Business page or a spoofed Google “Schedule a call” careers flow. ( pushsecurity.com ) Researchers describe the payload as an adversary‑in‑the‑middle reverse‑proxy phishing kit that captures typed credentials, session cookies and multi‑factor codes in real time, enabling account takeover even when 2FA is enabled and exposing Google SSO‑linked accounts. ( cybernews.com bitdefender.com ) Investigators have cataloged roughly a dozen malicious landing pages so far and warn attackers aim to weaponize compromised advertiser accounts for malvertising, ad fraud, and distribution of infostealers or remote‑access tools. ( tech.yahoo.com bitdefender.com ) Security advisories recommend moving high‑value business profiles to phishing‑resistant authentication methods, reviewing Business Center roles, and enabling platform account protections such as TikTok’s recommended 2‑step verification and role audits. ( bitdefender.com ads.tiktok.com ) Push Security notes the campaign mirrors a late‑2025 playbook that targeted Google ad ecosystems, with the new cluster using a consistent welcome.careers* naming convention and Cloudflare hosting—signs the threat actor is reusing and refining proven infrastructure. ( pushsecurity.com bitdefender.com )