A recent campaign abuses TikTok for Business’ use of Google Single Sign-On and the platform’s permissive profile bio redirects to mount reverse-proxy AITM phishing that captures credentials and session cookies, then pivots into Google Ad Manager for large-scale ad fraud — all while evading two-factor protections with Cloudflare Turnstile–protected pages hosted on Google Storage.

How the attack chain turns a TikTok click into ad-account takeover

attackers begin with links that look like legitimate TikTok profile URLs or business communications and funnel victims through TikTok’s profile-bio redirect feature, which currently allows unvalidated outbound targets. From that trusted landing, a redirect sends the user to a Google Storage–hosted page fronted by Cloudflare Turnstile; the page runs a reverse-proxy AITM phishing kit that mirrors Google or Microsoft login flows while capturing passwords and session cookies.

Compromise here is not limited to a TikTok login. When victims used Google SSO for TikTok for Business, stolen session material or credentials give attackers simultaneous access to TikTok ad controls and linked Google Ad Manager accounts. That dual control enables malvertising campaigns and ad-fraud operations at scale, echoing prior threat activity against Google advertising but amplified by TikTok’s social-trust surface.

Why 2FA and static IoCs are unreliable against this kit

Recommended Reading

FBI probes coordinated malware in Steam games — if it ties one actor, Valve will be under pressure to change vetting

The FBI’s Seattle Division has opened a public investigation into multiple Steam games that embedded malware to steal cryptocurrency and hijack accounts between May 2024 and January 2026. The agency is asking anyone who installed the affected titles to submit incident details and victim information while it investigates a likely coordinated campaign exploiting Steam’s release […]

FBI probes coordinated malware in Steam games — if it ties one actor, Valve will be under pressure to change vetting

The reverse-proxy kit intercepts second-factor sessions and harvests cookies, which can replay valid sessions or mint new ones, so ordinary TOTP or SMS 2FA often does not block the takeover. Phishing pages also autofill victim emails and display legitimate-looking support links and numbers, increasing credibility for corporate targets and for Microsoft 365 credential harvesting that uses the same TikTok-redirect trick.

Operational characteristics that make the campaign scalable

Researchers observed domains registered in rapid succession with a consistent naming pattern (for example, welcome.careerscrews[.]com and similar welcome.careers* names), plus use of bulk registration services and Cloudflare fronting. Those choices let attackers spin up new landing pages quickly when prior domains are blacklisted; combined with hosting on Google Storage, that reduces the longevity of static indicators of compromise (IoCs) and forces defenders toward behavioral and telemetry-based detection.

Concrete steps for defenders and what to watch next

Technical responses that go beyond user training: require phishing-resistant MFA (FIDO2 or hardware tokens) for Google SSO accounts used with TikTok for Business; audit and separate ad-account linkages between TikTok and Google Ad Manager; instrument logs to flag new ad-manager connections and sudden permission grants; and add DNS and certificate monitoring for the welcome.careers* naming pattern and unexpected Google Storage pages. Blocking outbound tiktok.com bio redirects in sensitive environments or intercepting those redirects for inspection reduces the initial trust benefit attackers rely on.

Short operational Q&A

When should you rotate credentials? Immediately after evidence of cookie/token theft or unexpected ad-account linkages; assume session replay is possible even if MFA briefly prevented a login.

Which logs give the fastest detection? Ad Manager linkage events, SSO token issuance records in Google Workspace, and unusual API calls from TikTok ad endpoints; prioritize alerts that combine SSO use with new ad-permission grants.

What policy change to monitor from TikTok? Watch for any move by TikTok to validate or block open redirects from profile bios—if TikTok enforces target-domain whitelists or rate-limits redirects, the campaign’s stealth layer will be harder to scale.