The experts of the security company Abnormal Security have discovered a scam conveyed by phishing messages and addressed to at least 125 influencer accounts on TikTok. The technique described by the experts is as simple as it is effective and demonstrates how ingenious the criminal action is in proposing this new fraud.
Names like Charli D’Amelio e Khaby Lame they may not say anything to anyone, but they are influencers who manage accounts with hundreds of millions of followers. This means that these accounts are real money machines, a billion dollar business that makes millions of dollars.
Once you have stolen access to a social account you can try extortion against the owner asking for the payment of a ransom to return access, or you could use the account to impersonate the victim and send messages in his name to followers with important repercussions.
A message posted by characters like Tesla CEO Elon Musk, could have a major impact on the value of a cryptocurrency as well as the value of shares.
But let’s get to the attack described by the Abnormal Security experts: Victims receive messages in their inbox designed to induce them to take urgent action. In this specific case, two distinct messages have been identified used for the phishing campaign.
In the first case, the original email sent to TikTok account holders uses a false communication of violation of the platform’s copyright as a decoy. The message then invites the recipient to respond within 48 hours to avoid closing the account. You will then understand that the unsuspecting terrified victim will immediately respond to the disturbing message.
Once the victim has replied to the phishing message, the attacker, who introduces himself as a “TikTok official”, always replies via email with a message in which the Confirm my Account link is clearly visible.
This link is actually a short Url, that is an abbreviated web address, which once clicked opens a WhatsApp chat with the alleged operators of TikTok. And this is where the social engineering masterpiece is consumed: the fake operators ask victims to verify their identity by providing the phone number and email address associated with the TikTok account for which assistance is requested. Once this information is provided, the victim is required to confirm the 6-digit code sent to them via text message.
Actually the attackers are trying to take possession of the victim’s TikTok account and the 6-digit code is sent to the phone of the rightful owner to confirm the identity following the request that the scammers have sent to the platform once in possession of the telephone number and email.
Once provided the 6-digit code, the attacker can take over the account of the victim while also circumventing two-factor authentication.
Experts also identified a second bait email used by criminals. In this second case the message, that again poses as sent by “TikTok officials”, inform account holders that the account is eligible for a verified badge. In this scenario, the smug victim simply has to reply to the email to initiate the account verification process, which actually follows the pattern described above.
Experts have identified two waves of this type of phishing respectively on 2 October and 1 November 2021. Among the recipients there are obviously talent agencies, consulting firms of major brands, production studios, social media companies that manage influencer accounts and content producers of all kinds: “Social media accounts have become increasingly valuable in recent years, creating the incentive for their rightful owners to redeem them even after paying a hefty ransom. An underground economy has evolved to offer services of ban-as-a-service, or services that, through the manipulation of abuse reporting mechanisms, are provided by criminals to harass and lead to blocking other users, mainly his Instagram”, it is read in the report published by Abnormal Security.
Are only influencers in danger? Obviously not: an attack scheme like the one described could also be used on a large scale for the same purposes. It is therefore a good idea disseminate information on these campaigns and do not get caught unprepared, so that our social accounts are safe.
It is worth remembering always enable the double authentication factor for all those services that allow it, an additional element to guarantee the security of the accounts.