Phishing campaign targets TikTok users following popular accounts

A recent phishing campaign targeted 125 users following famous accounts on TikTok, researchers have found. 

The targeted accounts were warned they were either in danger of being banned for copyright violations or were eligible to acquire a verified badge on their profile. The account holders were directed to a WhatsApp chat, where a TikTok employee would supposedly confirm their accounts. 

According to email security company Abnormal Security, the targets accounts in the scam included agencies as well as individual users. These included influencer management firms, talent agencies, social media production studios and brand-consultant firms. One would assume agencies were targeted as they could potentially hold greater value to scammers than individual users. 

Crane Hassold, director of threat intelligence at Abnormal Security, did not share the specific names of the popular accounts targeted, but said they had “millions to tens of millions of followers.” 

The phishing messages 

Emails to the 125 victims were sent in two batches, the first on October 2 and the second on November 1. The threat actors behind the messages used two ploys to try to bait the victims into falling for the attack: either the material on their account was in breach of copyright and their account was at risk of being deleted, or instead the account qualified to receive a verification badge, a highly sought-after accolade that confers legitimacy and status to accounts which possess it. 

Were a victim to fall for the attempt, they would then be sent a ‘Confirm My Account’ link, directing them to a WhatsApp chat. Here, they would be asked to ‘verify’ the email address and phone number on the account. A spoofed one-time passcode (OTP) is sent to the phone number to make it seem legitimate. 

There were some giveaways, however, that this was a scam. Firstly, the messages sent were poorly worded and not at the level to be expected of a billion-pound company such as TikTok.  

Secondly, the emails were sent from Gmail accounts. Communications sent from professional companies almost always utilise their own domains (e.g. [email protected]). As well as this, Gmail accounts have been found to be very common in phishing attacks, with 91 percent of bait attacks utilising the Google service. 

Another major red flag was the grouping of the victim addresses in the ‘To’ field, making visible all the accounts the email was sent to. 

Hassold does not believe these were professional-level attacks. “While we do see a number of more sophisticated social engineering attacks, this is probably in the majority of attacks we see on a daily basis.” 

TikTok a growing target 

As social media company Tiktok continues to grow in popularity, so will attempts by cybercriminals to scam its users. TikTok announced in September it has more than 1 billion monthly users, an increase of 45 percent since July 2020. 

The China-owned company also now sees more than $100 million of monthly user spending, reportedly generating large sums for accounts with huge followings. 

It remains unclear both whether any accounts were breached, or who was behind the attacks. The exact purpose of the phishing attempts is also unknown at this moment, although it is likely to involve acquiring personal information. 

“At the end of the day they were trying to hijack these TikTok accounts for some purpose,” said Hassold. 

A TikTok spokesperson did not answer questions specifically about this particular attack, instead just urging users to adopt two-factor authentication on their accounts and use strong passwords. 

“TikTok is committed to maintaining a positive and safe environment for our global community,” they said.