Overview
- Push Security reported a live campaign, linked to a 2025 operation, that impersonates TikTok for Business and Google Careers to hijack business accounts.
- The lure link routes through a Google Storage URL and runs a Cloudflare Turnstile check to block scanners before showing the fake site.
- A reverse-proxy login then captures passwords plus session cookies, which lets attackers take accounts even with two-factor protection enabled.
- The phishing sites use similarly named domains registered via NiceNIC and are served from the same Google-hosted bucket behind Cloudflare.
- Many teams sign in to TikTok with Google SSO, so one compromise can expose both platforms for malvertising, ad fraud, or malware delivery.