AitM Phishing Campaign Targets TikTok Business via Turnstile Evasion

A new sophisticated campaign utilizing adversary-in-the-middle (AitM) techniques is currently targeting TikTok for Business accounts. According to The Hacker News, researchers at Push Security identified the operation, which leverages deceptive landing pages designed to bypass security controls and hijack active sessions. This campaign is particularly dangerous due to the potential for malvertising and the distribution of malicious payloads through trusted, verified business accounts.

Technical Analysis of the AitM Phishing Workflow

The Phishing infrastructure operates by positioning a proxy server between the victim and the legitimate TikTok login portal. This allows the attacker to intercept communications in real-time. Unlike traditional credential harvesting, where attackers only capture usernames and passwords, this TTP enables the theft of session cookies. These cookies allow attackers to bypass standard multi-factor authentication (MFA) methods like SMS codes or TOTP (Time-based One-Time Password) because the session is already authenticated.

Once the victim enters their credentials, the AitM server relays them to the actual TikTok service. When the service issues a session token, the attacker captures it before passing it back to the user’s browser. This session hijacking gives the attacker full control over the account without needing to re-authenticate or trigger suspicious login alerts in many cases. The stolen information is typically transmitted to an attacker-controlled C2 server for immediate exploitation.

Evasion via Cloudflare Turnstile

A notable component of this campaign is the use of Cloudflare Turnstile to protect the phishing landing pages. By integrating this tool, attackers ensure that automated security scanners and bots—which might otherwise flag the IoC or the malicious URL—are blocked. The Turnstile challenge serves as a filter, ensuring only human victims interact with the phishing site, thereby extending the lifespan of the malicious infrastructure. This evasion technique complicates the process of detecting AitM phishing on social media platforms because the initial interaction appears to come from a legitimate, protected domain.

TikTok Business Account Hijacking Mitigation and Detection

The primary goal of these attacks is the weaponization of business accounts. Once an account is compromised, attackers can use the associated advertising credits and the account’s reputation to launch malvertising campaigns. These campaigns often lead to the distribution of infostealers or other malware, leveraging the reach of the TikTok platform to find new victims. Because these ads come from legitimate business accounts, they are less likely to be blocked by standard security filters initially.

To effectively combat this threat, organizations should focus on the following strategies:

• Hardware-Based MFA: Traditional MFA is vulnerable to AitM. Organizations should transition to FIDO2-compliant security keys, which are resistant to session interception because they require a hardware-level cryptographic handshake with the legitimate domain.
• Session Management: Security teams should implement policies that shorten session lifetimes and require re-authentication for sensitive actions within the TikTok for Business dashboard.
• Continuous Monitoring: Use a SIEM or specialized monitoring tools to identify anomalous login patterns, such as sessions originating from unusual geographic locations or IP addresses associated with known proxy services.
• Security Awareness: Conduct targeted training focusing on the visual cues of AitM attacks, such as domain name discrepancies (e.g., using look-alike characters or subdomains).

Adopting a Zero Trust architecture can further limit the impact of such compromises by ensuring that every access request is continuously verified, regardless of the initial authentication success. Defending against TikTok Business account hijacking mitigation requires a shift away from legacy authentication toward phishing-resistant standards defined standards. Security professionals should map these threats against the MITRE ATT&CK framework to better understand the progression from initial access to objective execution.