A new phishing scam aimed at hijacking at least 125 TikTok ‘Influencer’ accounts were uncovered by the researchers from Abnormal Security.
The original phishing email used a TikTok copyright violation notice lure and the messages instructed the victims responding to the message to avoid the deletion of their accounts in 48 hours.
According to a report by the security firm, the email campaign was sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses in order to target large-volume TikTok accounts of all kinds and across disparate locales. Among the typical talent agencies and brand-consultant firms, the threat actor sent messages to social media production studios, influencer management firms, and content producers of all types.
Once the victim replied to the phishing message, the attacker impersonating “TikTok officials” responded via email providing the victims a link titled “Confirm My Account.” On clicking the link, the recipient is directed to a WhatsApp chat conversation. The victims are asked to verify the phone number and email address linked to the targeted TikTok account.
Then the victims are asked to confirm the ownership of the account by providing the six-digit code they had received. Using this trick, threat actors were able to bypass multi-factor authentication.
Another campaign targeting TikTok influencers used an email claiming to be sent by “TikTok officials” that informed account holders that the account was eligible for a “verified badge” and asked them to reply to the email to verify the account.
The researchers concluded that they were not able to identify the end goal of the campaign, but past targeting of social media accounts on other platforms offers several options. Social media accounts are becoming valuable as they create the incentive to ransom the original owners for a hefty fee.