TikTok for Business Under Siege: New Phishing Campaign Exploits “Login with Google”

Researchers at Push Security have identified and blocked a novel campaign targeting TikTok for Business accounts—the very tools company marketing teams use to manage high-stakes ad campaigns.

This isn’t just a simple credential harvest; it is a multi-layered attack designed to bypass modern security defenses and seize control of corporate SSO platforms.

The attack begins with a malicious link, often delivered via dynamically generated emails. Victims are directed to one of two highly convincing page styles:

• TikTok for Business Clone: A page mimicking the “Become a Partner” interface.
• Google Careers Clone: An imitation “Schedule a Call” page designed to look like a legitimate recruitment or support interaction.

To keep security bots at bay, the attackers utilize a Cloudflare Turnstile check. Once a human is verified, they are asked to complete a basic information form before being served with the final, lethal payload: a malicious login page.

The core of this threat is an Adversary-in-the-Middle (AITM) phishing kit. Unlike traditional phishing, these kits act as a reverse proxy, sitting between the victim and the legitimate service to capture not just passwords, but also Active Session Tokens.

Interestingly, the attackers have modified the TikTok login page to prioritize a “Log in with Google” button.

“This means that anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go, opening up the typical Google Ad Manager exploitation playbook,” the researcher explains.

While targeting TikTok for Business might seem unconventional compared to standard banking or IT phishing, the motive is clear. Verified business accounts are goldmines for attackers who want to:

• Distribute Malicious Links: TikTok has been historically abused to spread infostealers like Vidar and StealC via AI-generated “activation guide” videos.
• Crypto Scams: The platform is a frequent target for deepfaked videos promoting fraudulent exchanges.
• Data Theft and Extortion: Gaining SSO access allows attackers to jump into any other corporate app accessible via Google credentials.

Push Security identified a cluster of these domains—derivatives of welcome.careers*[.]com—all registered within a single 9-second window on March 24, 2026.

“Ultimately, it’s easy to see how access to verified and trustworthy business accounts on TikTok could be abused in the wrong hands,” the report concludes. This campaign serves as a stark reminder that as business workflows migrate to social platforms, the phishing playbook follows close behind.