Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 29, 2026 · 5 min read

This Phishing Attack Hijacks TikTok and Google Accounts in One Shot

Security researchers discovered a phishing campaign that targets TikTok Business accounts through fake job offers. The attack uses a reverse proxy to intercept login credentials and session cookies in real time, bypassing two factor authentication and compromising Google accounts used for single sign on.

Smartphone showing a fake TikTok login page with a fishhook shadow overlay on a desk

What Push Security Found

On March 26, 2026, security firm Push Security published its analysis of a phishing campaign specifically targeting TikTok for Business accounts. The researchers identified 11 phishing domains registered on March 24 through registrar NiceNIC, all set up within a nine second window, a sign of automated infrastructure deployment.

Every domain uses a "careers" theme: careerscrews.com, careerstaffer.com, careersworkflow.com, and similar variations. The campaign lures victims with fake job offers and hiring invitations, a social engineering angle designed to appeal to business account holders who manage advertising budgets and brand content.

How the Reverse Proxy Attack Works

This is not a traditional phishing page that shows a fake login form. The attack uses an Adversary in the Middle (AiTM) technique where the phishing server acts as a reverse proxy between the victim and the real TikTok login page. The victim sees the actual TikTok interface, enters their actual credentials, and completes their actual two factor authentication prompt. Everything looks and feels legitimate.

The difference is that the attacker's server sits between the two, capturing every credential and session cookie in transit. Once the victim completes authentication, the attacker has a fully authenticated session that they can use immediately. Two factor authentication provides no protection because the attacker captures the session after MFA has already been completed.

Push Security linked this campaign to a previous operation from 2025 that used the same technique against Google Ad Manager accounts, suggesting an organized group systematically targeting high value advertising accounts across platforms.

The Google SSO Problem

The most dangerous aspect of this campaign is the Google single sign on risk. Many TikTok Business account holders log in through Google SSO rather than a separate TikTok password. When these users enter their Google credentials on the phishing page, the attacker captures not just TikTok access but the Google account itself.

As Push Security noted: "Anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go." This gives the attacker control over the victim's Google Ads, Gmail, Google Drive, and every other service connected to that Google account.

For organizations that use Google Workspace, a single employee falling for this phishing lure could expose the entire company's email, documents, and advertising accounts.

Evading Security Scanners

The campaign uses multiple layers to avoid detection. The initial link redirects through a legitimate Google Storage URL, which most security filters trust by default. Before reaching the phishing page, visitors must pass a Cloudflare Turnstile CAPTCHA check that blocks automated security scanners from analyzing the malicious content.

This means that when a security team receives a report about a suspicious URL and feeds it into their analysis tools, the tools see the Cloudflare challenge page and never reach the actual phishing infrastructure. Only human visitors who complete the CAPTCHA see the attack page, making automated detection nearly impossible.

Why Business Accounts Are Valuable Targets

Compromised business accounts on advertising platforms are extremely valuable. Attackers use them to run malicious advertisements that distribute malware, redirect advertising budgets to their own campaigns, or promote scam products using the credibility of a legitimate brand's verified account.

A compromised TikTok Business account with an active advertising budget gives an attacker a ready made, pre funded channel to reach millions of users. Because the ads come from a verified business account, they bypass many of the automated checks that platforms use to filter out fraudulent advertising.

How to Protect Your Accounts

Traditional two factor authentication does not stop AiTM attacks because the attacker captures the authenticated session, not just the password. The most effective defense is hardware security keys or passkeys, which are bound to the legitimate domain and refuse to authenticate on phishing sites regardless of how convincing they look.

Beyond technical controls, the social engineering angle matters. The campaign uses fake job offers because they appeal to vanity and professional ambition. If you manage a business account on any advertising platform, treat unsolicited career opportunities and partnership invitations with extreme skepticism, especially if they ask you to log in through an unfamiliar link. Always navigate directly to the platform rather than clicking through from an email or message.