Threat actors are targeting TikTok for Business accounts in a phishing campaign that prevents security bots from analyzing malicious pages.
In a report, Push Security says it links the campaign to an operation documented last year that targeted Google Ad Manager accounts.
Victims are lured to Cloudflare-hosted phishing pages registered on March 24 via NiceNIC, the company says, with initial links redirecting through a legitimate Google Storage URL, blocking bots with a Cloudflare Turnstile check, and then redirecting users to the malicious pages.
The malicious domains feature similar names and are hosted on the same Google Storage bucket, including welcome.careerscrews[.]com, welcome.careerstaffer[.]com, welcome.careersworkflow[.]com, welcome.careerstransform[.]com, welcome.careersupskill[.]com, welcome.careerssuccess[.]com, welcome.careersstaffgrid[.]com, welcome.careersprogress[.]com, welcome.careersgrower[.]com and welcome.careersengage[.]com.
The pages impersonate TikTok for Business and Google Careers “Schedule a Call” pages, first asking for basic information to validate a business email and then presenting a fake login that acts as a reverse proxy to capture credentials and session cookies, allowing account takeover even when two-factor authentication is enabled.
Push Security said it could not determine the initial delivery mechanism but believes the attacker used a method similar to activity reported by Sublime Security, and warned that many business accounts use Google single sign-on, which can expose both Google and TikTok accounts if captured.
Users should treat unsolicited invites and job offers with caution, verify domains before entering credentials, and consider stronger protections such as passkeys; the article also linked a related analysis, Red Report 2026: Why Ransomware Encryption Dropped 38%, on evolving malware techniques.