threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/phishing-scam-tiktok-influencer/176391/
Submission: On November 22 via api from US — Scanned from DE
Submission: On November 22 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /phishing-scam-tiktok-influencer/176391/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/phishing-scam-tiktok-influencer/176391/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="176391" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="7dab02909f"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="BtMpJtuNmKAYQtb7nw4uelvHu" name="JkZAcFig8F3XWleFNDTnhlrl5">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1637589819492">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* FBI Email Hoaxer ID’ed by the Guy He Allegedly Loves to TormentPrevious
article
* Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA WarnsNext
article
PHISHING SCAM AIMS TO HIJACK TIKTOK ‘INFLUENCER’ ACCOUNTS
Author: Elizabeth Montalbano
November 17, 2021 8:44 am
3 minute read
Write a comment
Share this article:
*
*
Threat actors used malicious emails to target more than 125 people with
high-profile TikTok accounts in an attempt to steal info and lock them out.
A recently discovered phishing scam tried to takeover more than 125 high-profile
user accounts on TikTok. Researchers said the campaign marks one of the first
major attacks on “influencers” found on the TikTok social-media platform.
Researchers at cloud email security provider Abnormal Security detected the
scams that attempted to take over people’s accounts by sending emails
impersonating TikTok and asking users to verify their log-in information.
The campaign, tracked on Oct. 2 and Nov. 1, was sent to individuals worldwide.
Each target had large-volume TikTok accounts “of all kinds and across disparate
locales,” according to a Tuesday report authored by Abnormal Security.
“Among the typical talent agencies and brand-consultant firms we would expect to
see, this actor sent messages to social media production studios, influencer
management firms, and content producers of all types,” Rachelle Chouinard, a
threat intelligence analyst at Abnormal Security, wrote in the report.
IMPERSONATION GAME
The emails tried to dupe users into sending their log-in information to the
threat actors in one of two ways, each of which required further action from the
target. In both cases attackers pretended to be contacting users from TikTok,
which is owned by Chinese company ByteDance.
One of the emails sent in the campaign informed the user that his or her account
violated TikTok’s copyright and asked the user to reply to the email to verify
the account, threatening to remove the account in 48 hours if action was not
taken.
A second email falsely claiming to be sent by “TikTok officials” informed
account holders that the account was eligible for a “verified badge” and asked
them to reply to the email so the account could be properly verified.
“From well-known digital media channels to individual actors, models, and
magicians, the campaign reached out to content creators worldwide,” Chouinard
wrote. “Several emails were sent to the wrong company of the same name in the
same country, and many of the email addresses used appear to have been lifted
directly from social media.”
CONNECTING WITH ATTACKERS
Researchers turned the attackers’ tactics back on them, impersonating
influencers by responding to the phishing email, which garnered an email
response containing shortened link titled “Confirm My Account” that directed
researchers to a WhatsApp chat conversation, she explained.
“Within the WhatsApp conversation, we were asked to verify the phone number and
email address linked to the targeted TikTok account,” Chouinard wrote.
Next, the threat actor impersonating “TikTok officials” asked researchers to
confirm their ownership of the account by providing the six-digit code they’d
sent, demonstrating how they bypass multi-factor authentication to take over the
account.
Communications with attackers ceased after that because attackers likely checked
the TikTok account researchers used, which would show that “our audience
engagement was below par,” Chouinard wrote. Abnormal Security tried to find an
influencer who would permit use of his or her account for the experiment but did
not succeed, she said.
MOTIVE UNCLEAR
The campaign resulted in a number of those targeted having their accounts
deleted or taken over and their data stolen, researchers reported. However,
beyond this, researchers didn’t see much of a clear motive for the campaign that
would benefit attackers, Chouinard wrote.
However, it’s not uncommon for threat actors to target high-profile users of
social media accounts—more commonly people who are so-called “influencers” on
Instagram and Facebook–to extort money from account owners to get them back, she
noted.
“Past targeting of social media accounts on other platforms offers several
options,” Chouinard wrote. “Social media accounts have become increasingly
valuable in recent years, creating the incentive to ransom them back to the
original owners for a hefty fee.”
Instagram users were indeed the target of a threat campaign from
Turkish-speaking cybercriminals uncovered in August 2020. Attackers targeted
hundreds of celebrities, startup business owners and others with sizeable
followings on the platform in an attempt to steal both Instagram and email
credentials.
This type of activity has spurred “an underground economy” offering
ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor
other users, primarily on Instagram, Chouinard added.
Want to win back control of the flimsy passwords standing between your network
and the next cyberattack? Join Darren James, head of internal IT at Specops, and
Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during
a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials
to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit questions ahead of time to
Threatpost’s Becky Bracken at becky.bracken@threatpost.com.
Write a comment
Share this article:
* Hacks
SUGGESTED ARTICLES
SPEAR-PHISHING CAMPAIGN EXPLOITS GLITCH PLATFORM TO STEAL CREDENTIALS
Threat actors are targeting Middle-East-based employees of major corporations in
a scam that uses a specific ‘ephemeral’ aspect of the project-management tool to
link to SharePoint phishing pages.
November 18, 2021
FBI EMAIL HOAXER ID’ED BY THE GUY HE ALLEGEDLY LOVES TO TORMENT
Vinny Troia, the cybersecurity researcher mentioned in a fake alert gushed out
of the FBI’s email system, says it’s just one of a string of jabs from a
childish but cybercriminally talented tormentor.
November 16, 2021
FBI SAYS ITS SYSTEM WAS EXPLOITED TO EMAIL FAKE CYBERATTACK ALERT
The alert was mumbo jumbo, but it was indeed sent from the bureau’s
email system, from the agency’s own internet address.
November 15, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* 3 TOP TOOLS FOR DEFENDING AGAINST PHISHING ATTACKS
November 18, 2021
* ROOTING MALWARE IS BACK FOR MOBILE. HERE’S WHAT TO LOOK OUT FOR.
November 16, 2021
* TOP 10 CYBERSECURITY BEST PRACTICES TO COMBAT RANSOMWARE
November 12, 2021
5
* INVEST IN THESE 3 KEY SECURITY TECHNOLOGIES TO FIGHT RANSOMWARE
November 11, 2021
* SECURITY TOOL GUTS: HOW MUCH SHOULD CUSTOMERS SEE?
November 9, 2021
1
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Pankaj Gupta, Senior Director at @Citrix, outlines how distributed denial of
service attacks have become increasing… https://t.co/djwhuUE82e
4 days ago
Follow @threatpost
NEXT 00:06 01:29 360p 720p HD 1080p HD Auto (360p) About Connatix V139707 Closed
Captions About Connatix V139707 1/1 Skip Ad Continue watching This Day in
History after the ad Visit Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE