CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TikTok for Business credential harvesting via Cloudflare-hosted phishing reverse proxy

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are conducting a phishing campaign targeting TikTok for Business accounts, using Cloudflare-hosted reverse proxy pages to harvest credentials and session cookies, bypassing two-factor authentication. The campaign uses domains registered on March 24 via NiceNIC and hosted on a Google Storage bucket, impersonating TikTok for Business and Google Careers pages. Victims are lured via a Google Storage redirect with Cloudflare Turnstile bot protection to malicious pages that request email validation before presenting a fake login interface. Impact includes potential account takeover, ad fraud, malware distribution, and cryptocurrency scams leveraging compromised business accounts.

Timeline

  1. 26.03.2026 16:09 1 articles · 3h ago

    Reverse proxy phishing campaign targets TikTok for Business accounts with 2FA bypass

    Threat actors launched a phishing campaign using Cloudflare-hosted reverse proxy pages to harvest credentials and session cookies from TikTok for Business accounts. Victims are redirected through a Google Storage URL with Cloudflare Turnstile bot protection to malicious domains registered on March 24, 2026. The attack impersonates TikTok for Business and Google Careers pages, collects business email validation, then presents a fake login page capable of bypassing 2FA protections. The use of Google SSO for TikTok logins increases the risk of dual account compromise.

    Show sources
    Open in new tab

Information Snippets

  • Threat actors target TikTok for Business accounts due to their potential for malvertising, ad fraud, and malicious content distribution.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources

  • Campaign domains were registered on March 24, 2026, via NiceNIC and hosted on a Google Storage bucket.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources

  • Initial link redirects via a legitimate Google Storage URL, enforces Cloudflare Turnstile to block bots, and then redirects to malicious pages.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources

  • Malicious pages include: welcome.careerscrews[.]com, welcome.careerstaffer[.]com, welcome.careersworkflow[.]com, welcome.careerstransform[.]com, welcome.careersupskill[.]com, welcome.careerssuccess[.]com, welcome.careersstaffgrid[.]com, welcome.careersprogress[.]com, welcome.careersgrower[.]com, welcome.careersengage[.]com.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources

  • Phishing pages impersonate TikTok for Business and Google Careers "Schedule a Call" pages, requesting business email validation before serving a fake login page.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources

  • Fake login page is a reverse proxy capturing credentials, session cookies, and exfiltrating them to the attacker, enabling account takeover even with 2FA enabled.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources

  • TikTok accounts using Google SSO for login risk simultaneous compromise of both accounts, enabling broader abuse for ad distribution and scams.

    First reported: 26.03.2026 16:09
    1 source, 1 article
    Show sources