Hackers have mounted a phishing campaign intending to hijack the accounts of at least 125 influencers on the social media network.
Security researchers at Abnormal Security said the campaign, in which emails were sent in two rounds on October 2 and November 1 to more than 125 individuals and businesses, appeared to target large-volume TikTok accounts worldwide.
The victims, which included social media production studios, influencer management firms, content producers, actors, models, and magicians, were told their posts violated copyright laws and had to respond to the message or have their account deleted in 48 hours.
After replying to the first email, researchers received another email containing a shortened link titled “Confirm My Account,” which directed them to a WhatsApp chat conversation. Researchers were asked to verify the phone number and email address linked to the targeted TikTok account in that WhatsApp conversation.
Hackers pretending to be TikTok officials then asked to confirm ownership of the account by providing the six-digit code we had received. Researchers said this was one way hackers try to bypass two-factor authentication. Hackers then ended the conversation with researchers once they found out their audience engagement on TikTok was below par.
Another email offered victims a verified badge with a link to click that would “verify” them. This also led to a WhatsApp conversation with the hackers pretending to be from TikTok.
Researchers said that while they could not identify the campaign’s goal, past targeting of social media accounts on other platforms offers several options.
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID world
“Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee,” said researchers.
“An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram.”
Researchers warned that victim accounts in this scenario often end up deleted, especially for those on TikTok.
“Social media platforms explicitly state in their terms of service that they bear no responsibility for any data loss and advise users to store all account material externally. In most instances, data from deleted accounts is not recoverable by the platform,” said researchers.
“And so even if the ransom payment is paid, there may be no regaining access to your social media accounts—costing those who depend on it for their income to lose their entire livelihood in one swoop.”
