A new phishing attempt has been discovered primarily aimed at high-profile TikTok accounts belonging to influencers, production companies, brand consultants, and managers of influencers. Researchers from Abnormal Security first observed the attacks. While tracking the distribution of emails in this campaign, they noticed two activity peaks on October 2, 2021, and November 1, 2021, indicating that a new round will most likely begin in a few weeks.
In some instances seen by Abnormal Security, the actors imitate TikTok workers and threaten the receiver with account cancellation owing to an alleged breach of the platform’s policies. A ‘Verified’ label that gives legitimacy and validity to the account is another communication motif.
TikTok’s ‘Verified’ badges give verified users’ content more weight and signal the platform’s algorithms to increase the exposure rates of their postings. This lure is particularly successful for phishing since many individuals would be delighted to receive an email giving them the chance to acquire a verification badge.
In both situations, the attackers provide their victims the option of using an embedded link to authenticate their credentials. Instead, they’re led to a WhatsApp chat channel, where they’ll be greeted by a fraudster posing as a TikTok employee. The fraudster requests their email address, phone number, and a one-time code that will allow them to circumvent multi-factor authentication and change their password.
It’s unknown what the phishing actors want to achieve with this effort, but it might be either a takeover of the targets’ accounts or an attempt to coerce the account owners into paying a ransom to regain access.
If an account, particularly one with many followers, breaches TikTok’s terms of service, it will be permanently suspended or canceled. It implies that actors may simply threaten to publish anything offensive, resulting in the deletion of a profile whose owner may have invested a lot of time and money to get to its current state.
If you own or/and administer valuable social media accounts, back up all your data and content. Also, you should use two-factor authentication (2FA) or 2-step verification, as TikTok calls it, to protect your account, preferably with a physical security key. If you can only use SMS-based 2FA, use a secret number that you haven’t shared with anybody and use it just for this reason.