Facebook Phishing Campaign Leverages Google AppSheet, Netlify, Telegram
Key Takeaways A sophisticated phishing campaign, dubbed “AccountDumpling,” has compromised approximately 30,000 Facebook accounts globally. The attackers exploit legitimate services such...
Key Takeaways
- A sophisticated phishing campaign, dubbed “AccountDumpling,” has compromised approximately 30,000 Facebook accounts globally.
- The attackers exploit legitimate services such as Google AppSheet, Netlify, and Telegram to bypass traditional email security measures and exfiltrate data.
- The campaign, linked to a Vietnamese threat actor, utilizes multiple phishing clusters with varied social engineering tactics, primarily targeting Facebook Business accounts.
- Stolen credentials and identity documents are monetized through illicit sales or by offering “recovery” services back to victims.
A global cybercrime operation, dubbed “AccountDumpling,” has successfully breached an estimated 30,000 Facebook accounts worldwide. This extensive credential theft campaign ingeniously abuses trusted platforms like Google AppSheet, Netlify, and Telegram to circumvent conventional email security defenses. The campaign, initially identified by Guardio Labs, has been linked to a Vietnamese threat actor and focuses on harvesting credentials and identity documents.
Table Of Content
By leveraging legitimate channels to deliver fully authenticated phishing lures, the attackers effectively bypass spam filters and security gateways. The stolen Facebook Business accounts are then either sold on illicit marketplaces or used to facilitate further fraudulent activities, including offering “recovery” services back to the original victims.
The core innovation of this operation lies in its ability to hijack platform trust rather than relying on domain spoofing. Threat actors utilize Google AppSheet, a legitimate no-code application development service, to dispatch malicious notifications. These emails originate directly from Google’s servers, appearing from [email protected], which ensures they pass all standard email authentication protocols such as SPF, DKIM, and DMARC. This tactic makes it extremely difficult for automated security systems and spam filters to flag the messages as malicious, forcing users to identify the deceptive content themselves.
Attack and Evasion Methodologies
The AccountDumpling operation is characterized by its modular structure, employing four distinct phishing clusters, each designed to exploit different psychological vulnerabilities in its targets.
Phishing Cluster Strategies
- Policy Violation: These lures mimic official Facebook Help Center notifications, falsely threatening permanent account disablement. The phishing pages are hosted on Netlify and utilize HTTrack cloning artifacts, unique subdomains to evade blocklists, and serverless functions for data exfiltration.
- Reward Promise: This cluster entices victims with invitations for Blue Badge verification or exclusive advertiser rewards. Pages are hosted on Vercel and feature Unicode obfuscation in preheaders, fake reCAPTCHA barriers, and live credential validation scripts.
- Live Control: Urgent Meta notices are disguised as clean, single-image notifications, often delivered via Google Drive (Canva PDFs). This cluster employs WebSocket-based live phishing panels, allowing for real-time, human-in-the-loop interaction with victims.
- Social Engineering: This involves fake senior job offers from prominent tech companies like Meta and Apple. Communication is often shifted to off-platform channels, leveraging Cyrillic homoglyphs in sender display names and gradually building trust through live conversations.
A critical component of the AccountDumpling operation is its reliance on Telegram bots for command-and-control and data exfiltration. Stolen data, including credentials, two-factor authentication codes, dates of birth, and government-issued identification photos, are immediately routed to private Telegram channels. Operators actively monitor these channels to validate the compromised data and execute account takeovers in real time. Analysis of the recovered bot infrastructure indicates approximately 30,000 victim records have been processed, with 68.6% of targeted individuals and businesses located in the United States.
Attribution and Operational Security Failure
Guardio Labs successfully traced the operation’s origins to a Vietnamese threat actor due to a critical operational security oversight. A Canva-generated PDF, used in the “Live Control” attack cluster, retained its author metadata, revealing the real name “PHẠM TÀI TÂN.” Investigators linked this name to a public business persona in Vietnam that openly advertises Facebook account recovery and security services. This discovery highlights a cyclical criminal economy where threat actors compromise valuable business assets, use them for fraudulent campaigns, and then attempt to sell “recovery” services back to their initial victims.
What You Should Do
- Exercise Extreme Caution with Emails: Even if emails appear to come from a legitimate sender (e.g., Google, Facebook) and pass security checks, always scrutinize the content for suspicious requests, urgent threats, or promises that seem too good to be true.
- Verify Links Independently: Before clicking any link, hover over it to check the URL. Better yet, navigate directly to the official website (e.g., Facebook, Meta) to log in or check notifications, rather than using links in emails.
- Enable Multi-Factor Authentication (MFA): Implement strong MFA on all your online accounts, especially Facebook Business accounts. This adds an essential layer of security, making it harder for attackers to gain access even if they steal your password.
- Educate Your Team: Regularly train employees on phishing awareness, emphasizing the tactics used in campaigns like AccountDumpling, which exploit trusted services.
- Report Suspicious Activity: If you suspect a phishing attempt, report it to the platform provider (e.g., Facebook, Google) and your internal security team.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.