Phishing emails are targeting large TikTok accounts with phony copyright warnings or offers for account verification, according to researchers at Abnormal Security.
“An email campaign sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses appeared to target large-volume TikTok accounts of all kinds and across disparate locales,” the researchers write. “Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types….From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide. Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”
The researchers add that the attackers set a time constraint to ensure that the victim acts quickly, then send a link to trick the user into entering their credentials.
“This campaign indicates that attackers have linked TikTok with the social media giants, including Facebook and Twitter, in the impersonation game,” the researchers write. “In the original phishing email, designed to appear like a copyright violation notice from TikTok, the victim was instructed to respond to the message, lest their account be deleted in 48 hours.”
Abnormal notes that hackers sometimes demand a ransom to return the account to its owner.
“While we were unable to identify the end goal of the campaign, past targeting of social media accounts on other platforms offers several options,” the researchers write. “Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee. An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram. Sadly, victim accounts in this scenario often end up deleted, especially for those on TikTok.”
New-school security awareness training can enable your employees to recognize social engineering tactics so they can avoid falling for these attacks.
Don’t get hacked by social media phishing attacks!
Many of your users are active on Facebook, LinkedIn, and Twitter. Cybercriminals use these platforms to scrape profile information of your users and organization to create targeted spear phishing campaigns in an attempt to hijack accounts, damage your organization’s reputation, or gain access to your network.
KnowBe4’s Social Media Phishing Test is a complimentary IT security tool that helps you identify which users in your organization are vulnerable to these types of phishing attacks that could put your users and organization at risk.
Here’s how the Social Media Phishing Test works:
- Immediately start your test with your choice of three social media phishing templates
- Choose the corresponding landing page your users see after they click
- Show users which red flags they missed or send them to a fake login page
- Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/social-media-phishing-test-partner?partnerid=001a000001lWEoJAAW