New Phishing Waves Exploit TikTok Business Accounts and SVG Files
In a landscape increasingly fraught with digital dangers, two distinct yet equally insidious phishing campaigns have emerged, underscoring the relentless innovation of threat actors. One campaign leverages advanced adversary-in-the-middle (AitM) tactics to compromise TikTok for Business accounts, while another deploys malicious Scalable Vector Graphics (SVG) files to deliver potent malware, including variants linked to BianLian ransomware.
TikTok Business Accounts Under Siege: The AitM Phishing Threat
A recent report from Push Security has shed light on a sophisticated AitM phishing operation specifically designed to seize control of TikTok for Business accounts. These accounts are prime targets for cybercriminals, offering a direct conduit for malvertising, scam promotion, and the distribution of malware to a vast audience. Push Security notes that TikTok has a history of being exploited for malicious links and social engineering, with previous incidents involving infostealers like Vidar, StealC, and Aura Stealer, often disguised as AI-generated activation guides for popular software like Windows or Spotify.
The current campaign initiates with victims being lured by malicious links. These links redirect users to meticulously crafted lookalike pages, either impersonating TikTok for Business directly or masquerading as Google Careers, complete with an enticing option to schedule a call about a job opportunity. This credential phishing tactic isn’t entirely new; Sublime Security previously flagged a similar iteration in October 2025, which utilized fake outreach emails.
Cloudflare Turnstile Evasion: A New Layer of Deception
What makes this campaign particularly advanced is its use of Cloudflare Turnstile. Regardless of the initial deceptive page, victims are subjected to a Turnstile check. This isn’t for their protection, however. Instead, it’s a clever maneuver by the attackers to block automated scanners and bots, ensuring that only human targets proceed to the actual malicious AitM phishing login page. This page, designed to mirror legitimate login portals, then harvests the victims’ credentials. The phishing infrastructure is hosted across a network of domains, including: welcome.careerscrews[.]com, welcome.careerstaffer[.]com, welcome.careersworkflow[.]com, welcome.careerstransform[.]com, welcome.careersupskill[.]com, welcome.careerssuccess[.]com, welcome.careersstaffgrid[.]com, welcome.careersprogress[.]com, welcome.careersgrower[.]com, and welcome.careersengage[.]com.
SVG Files: A Stealthy Vector for BianLian Ransomware
Concurrently, WatchGuard has uncovered another alarming phishing campaign, this one targeting users in Venezuela through seemingly innocuous Scalable Vector Graphics (SVG) file attachments. These malicious SVG files are cleverly named in Spanish, posing as legitimate invoices, receipts, or budgets.
Upon opening these deceptive SVG files, they initiate communication with a remote URL, triggering the download of a malicious artifact. The attackers further obscure their tracks by utilizing the ‘ja.cat’ URL shortening service, redirecting from legitimate, vulnerable domains to the ultimate malware download source. The downloaded payload is a malware written in Go, which exhibits significant overlaps with a BianLian ransomware sample previously detailed by SecurityScorecard in January 2024.
WatchGuard emphasizes the critical takeaway: “This campaign is a strong reminder that even seemingly harmless file types like SVGs can be used to deliver serious threats.” The incident serves as a stark warning that vigilance is paramount, even with file types not traditionally associated with malware.
Protecting Your Digital Assets
These dual campaigns highlight the evolving sophistication of cyber threats. Users and businesses alike must exercise extreme caution when encountering unsolicited links or attachments, regardless of their apparent legitimacy. Robust multi-factor authentication, continuous employee training on phishing awareness, and advanced endpoint protection are more crucial than ever in safeguarding against such pervasive and damaging attacks.
For more details, visit our website.
Source: Link
Leave a comment