{"id":411,"date":"2026-03-27T13:15:53","date_gmt":"2026-03-27T13:15:53","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=411"},"modified":"2026-03-27T13:15:53","modified_gmt":"2026-03-27T13:15:53","slug":"aitm-phishing-targets-tiktok-business-accounts-using-cloudflare-turnstile-evasion","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=411","title":{"rendered":"AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 27, 2026<\/span><\/span><span class=\"p-tags\">Ransomware \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg9MSv7TxvzRXdcpb_tW0hSC0Jq5_7-VYEhbddL8im1K25nOcjSr0T3_Y2f9zG8Q9l7K3U_zOXBKWgnHAO9rWvYG9158OKLKcZif_lq7e5fpqwxrW3IdPWzgTko6ogQSQg77hmiWszgf3OOT7baBY8vI8XcPt0h8R_0p7oBX2WmVQUSgsJXfPQmCzOGTMX9\/s1700-e365\/tiktok-b.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Threat actors are using adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report from Push Security.<\/p>\n<p>Business accounts associated with social media platforms are a lucrative target, as they can be weaponized by bad actors for malvertising and distributing malware.<\/p>\n<p>\u00abTikTok has been historically abused to distribute malicious links and social engineering instructions,\u00bb Push Security <a href=\"https:\/\/pushsecurity.com\/blog\/tiktok-phishing\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis includes multiple infostealers like Vidar, StealC, and Aura Stealer delivered via ClickFix-style instructions with AI-generated videos posed as activation guides for Windows, Spotify, and CapCut.\u00bb<\/p>\n<p>The campaign begins with tricking victims into clicking on a malicious link that directs them to either a lookalike page impersonating TikTok for Business or a page that&#8217;s designed to impersonate Google Careers, along with an option to schedule a call to discuss the opportunity.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>It&#8217;s worth noting that a prior iteration of this credential phishing campaign was <a href=\"https:\/\/sublime.security\/blog\/google-careers-impersonation-credential-phishing-scam-with-endless-variation\/\" rel=\"noopener\" target=\"_blank\">flagged<\/a> by Sublime Security in October 2025, with emails masquerading as outreach messages used as a social engineering tactic.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>Regardless of the type of page served, the end goal is the same: perform a Cloudflare Turnstile check to block bots and automated scanners from analyzing the contents of the page and serve a malicious AitM phishing page login page that&#8217;s designed to steal their credentials.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2y_7VDGoJkbMTXJPYUne7q0TPXAUPBRaahyphenhyphenp_SfI0lpfBNlAqBw3y4MlD77YlA3Gbzpue6y3z8fjoRJ0aoOsaC44oBpz6w4tMgVfmYXL4ZGyqjDe7kD0TVJEwCGW3MXY23R_L3zoLTMTTXbF323BLjp1UyjlKoNUvSrVyxVSZgdqoNkwZDwIHzR4FmQjk\/s1700-e365\/timeline.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2y_7VDGoJkbMTXJPYUne7q0TPXAUPBRaahyphenhyphenp_SfI0lpfBNlAqBw3y4MlD77YlA3Gbzpue6y3z8fjoRJ0aoOsaC44oBpz6w4tMgVfmYXL4ZGyqjDe7kD0TVJEwCGW3MXY23R_L3zoLTMTTXbF323BLjp1UyjlKoNUvSrVyxVSZgdqoNkwZDwIHzR4FmQjk\/s1700-e365\/timeline.png\" alt=\"\" border=\"0\" data-original-height=\"954\" data-original-width=\"1802\"\/><\/a><\/div>\n<p>The phishing pages are hosted on the following domains &#8211;<\/p>\n<ul>\n<li>welcome.careerscrews[.]com<\/li>\n<li>welcome.careerstaffer[.]com<\/li>\n<li>welcome.careersworkflow[.]com<\/li>\n<li>welcome.careerstransform[.]com<\/li>\n<li>welcome.careersupskill[.]com<\/li>\n<li>welcome.careerssuccess[.]com<\/li>\n<li>welcome.careersstaffgrid[.]com<\/li>\n<li>welcome.careersprogress[.]com<\/li>\n<li>welcome.careersgrower[.]com<\/li>\n<li>welcome.careersengage[.]com<\/li>\n<li>welcome.careerscrews[.]com<\/li>\n<\/ul>\n<p>The development comes as another phishing campaign has been observed using Scalable Vector Graphics (SVG) file attachments to deliver malware to targets located in Venezuela.<\/p>\n<p>According to a report published by WatchGuard, the messages have SVG files with file names in Spanish, masquerading as invoices, receipts, or budgets.\u00a0<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-dr-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqhIRUj1YTC94RNdUGjmL9vDt5o56pkuKHyTGP8DvhM0bsTe7VSW-pHKY9HaAKsXk4J3x3gREcX_ZtLx04zPaI1UqHjcBD9QquXjOczTKwcJeGnTUqH73_QRG4d0Ki0KBKChGP48m-7VzU7UTgCWdz7hBtd51XbCyMUXu9PBBQt1sbO1V4WLWu4QrEBTZA\/s728-e100\/ciso-dark-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abWhen these malicious SVGs are opened, they communicate with a URL that downloads the malicious artifact,\u00bb the company <a href=\"https:\/\/www.watchguard.com\/wgrd-security-hub\/secplicity-blog\/new-bianlian-ransomware-activity-detected-svg-phishing-campaign\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis campaign uses ja.cat to shorten URLs from legitimate domains that have a vulnerability that allows redirects to any URL, so they point to the original domain where the malware is downloaded.\u00bb<\/p>\n<p>The downloaded artifact is a malware written in Go that shares overlaps with a <a href=\"https:\/\/redacted.com\/blog\/bianlian-ransomware-gang-gives-it-a-go\/\" rel=\"noopener\" target=\"_blank\">BianLian<\/a> ransomware sample <a href=\"https:\/\/securityscorecard.com\/wp-content\/uploads\/2024\/01\/bianlian-ransomware-deep-dive.pdf\" rel=\"noopener\" target=\"_blank\">detailed by SecurityScorecard<\/a> in January 2024.<\/p>\n<p>\u00abThis campaign is a strong reminder that even seemingly harmless file types like SVGs can be used to deliver serious threats,\u00bb WatchGuard said. \u00abIn this case, malicious SVG attachments were used to initiate a phishing chain that led to malware delivery associated with <a href=\"https:\/\/unit42.paloaltonetworks.com\/bianlian-ransomware-group-threat-assessment\/\" rel=\"noopener\" target=\"_blank\">BianLian<\/a> activity.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 27, 2026Ransomware \/ Malware Threat actors are using adversary-in-the-middle (AitM) phishing pages to seize control of TikTok for Business accounts in a new campaign, according to a report&hellip;<\/p>\n","protected":false},"author":1,"featured_media":412,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[592,392,30,927,929,390,78,926,928],"class_list":["post-411","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-accounts","tag-aitm","tag-business","tag-cloudflare","tag-evasion","tag-phishing","tag-targets","tag-tiktok","tag-turnstile"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=411"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/411\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/412"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}