More than 125 people and businesses associated with large TikTok accounts based around the world were targeted as part of a recent phishing campaign, according to research published Tuesday.
Emails warned that targeted accounts were either in danger of being deleted for copyright violations or eligible for a verification badge. If victims replied to a message, attackers directed them to click a link to a WhatsApp chat, where a purported TikTok representative would confirm their accounts.
While it remains unclear if any accounts were breached, the campaign is the latest to demonstrate how TikTok’s popularity makes its most visible users targets for scammers.
In addition to individual account holders, the latest campaign targeted talent agencies, brand-consultant firms, social media production studios, influencer management firms, according to Rachelle Chouinard, a threat intelligence analyst at email security firm Abnormal Security, which shared its findings with CyberScoop. Crane Hassold, the director of threat intelligence at Abnormal, declined to share the specific names of the people and accounts targeted, but said the accounts in question had “millions to tens of millions of followers.”
In two batches of emails — sent Oct. 2 and Nov. 1 — the victim was told that material posted to their account violated copyright laws, or promised they would receive verified badge, which confers both legitimacy and status to popular accounts on the platform. If the victim replied to the email as instructed, a second email with a “Confirm My Account” link redirected to a WhatsApp chat, where they would be asked to “verify” the phone number and email associated with the account. A six-digit number made to look like a two-factor authentication code was then sent to the victim’s phone.
Exactly who was behaind the effort remains unclear, as does their ultimate intention. Fraudsters frequently direct potential victims off social media channels and into conversation chats, such as WhatsApp or Google Hangouts, where they then send malicious links or request personal information.
“At the end of the day they were trying to hijack these TikTok accounts for some purpose,” said Hassold.
TikTok, owned by the Chinese based firm ByteDance, has more than 1 billion monthly users the company announced in September, marking a 45% increase since July 2020, Reuters reported at the time. Its rapid rise facilitates more than $100 million of monthly user spending, and reportedly generates large sums for account holders with massive followings.
A TikTok spokesperson did not answer questions about the campaign in question before press time, urging users to adopt two-factor authentication and to use strong passwords.
“TikTok is committed to maintaining a positive and safe environment for our global community,” the spokesperson said.
Social media account hijacks aren’t new. Google’s in October announced the recovery of roughly 4,000 YouTube channels that were stolen through fake content collaboration offers. In July 2020, attackers took over more than 100 prominent Twitter accounts as part of a plot to generate cryptocurrency.
Prominent people are directly targeted as well, such as in October when an Irish broadcaster had her Instagram account hijacked and held for ransom.
The phishing emails had some obvious red flags. Scammers sent the messages from Gmail accounts, displayed poor command of the English language, and grouped victim email addresses were all grouped together in the “To” message field, allowing the researchers to see that 86 victims were targeted on Oct. 2 and 45 more on Nov. 1.
“While we do see a number of more sophisticated social engineering attacks, this is probably in the majority of attacks we see on a daily basis,” Hassold said.