A recently discovered phishing scam tried to takeover more than 125 high-profile user accounts on TikTok. Researchers said the campaign marks one of the first major attacks on “influencers” found on the TikTok social-media platform.
Researchers at cloud email security provider Abnormal Security detected the scams that attempted to take over people’s accounts by sending emails impersonating TikTok and asking users to verify their log-in information.
The campaign, tracked on Oct. 2 and Nov. 1, was sent to individuals worldwide. Each target had large-volume TikTok accounts “of all kinds and across disparate locales,” according to a Tuesday report authored by Abnormal Security.
“Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types,” Rachelle Chouinard, a threat intelligence analyst at Abnormal Security, wrote in the report.
Impersonation Game
The emails tried to dupe users into sending their log-in information to the threat actors in one of two ways, each of which required further action from the target. In both cases attackers pretended to be contacting users from TikTok, which is owned by Chinese company ByteDance.
One of the emails sent in the campaign informed the user that his or her account violated TikTok’s copyright and asked the user to reply to the email to verify the account, threatening to remove the account in 48 hours if action was not taken.
A second email falsely claiming to be sent by “TikTok officials” informed account holders that the account was eligible for a “verified badge” and asked them to reply to the email so the account could be properly verified.
“From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide,” Chouinard wrote. “Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”
Connecting with Attackers
Researchers turned the attackers’ tactics back on them, impersonating influencers by responding to the phishing email, which garnered an email response containing shortened link titled “Confirm My Account” that directed researchers to a WhatsApp chat conversation, she explained.
“Within the WhatsApp conversation, we were asked to verify the phone number and email address linked to the targeted TikTok account,” Chouinard wrote.
Next, the threat actor impersonating “TikTok officials” asked researchers to confirm their ownership of the account by providing the six-digit code they’d sent, demonstrating how they bypass multi-factor authentication to take over the account.
Communications with attackers ceased after that because attackers likely checked the TikTok account researchers used, which would show that “our audience engagement was below par,” Chouinard wrote. Abnormal Security tried to find an influencer who would permit use of his or her account for the experiment but did not succeed, she said.
Motive Unclear
The campaign resulted in a number of those targeted having their accounts deleted or taken over and their data stolen, researchers reported. However, beyond this, researchers didn’t see much of a clear motive for the campaign that would benefit attackers, Chouinard wrote.
However, it’s not uncommon for threat actors to target high-profile users of social media accounts—more commonly people who are so-called “influencers” on Instagram and Facebook–to extort money from account owners to get them back, she noted.
“Past targeting of social media accounts on other platforms offers several options,” Chouinard wrote. “Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee.”
Instagram users were indeed the target of a threat campaign from Turkish-speaking cybercriminals uncovered in August 2020. Attackers targeted hundreds of celebrities, startup business owners and others with sizeable followings on the platform in an attempt to steal both Instagram and email credentials.
This type of activity has spurred “an underground economy” offering ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram, Chouinard added.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at [email protected].