Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/CyberSecurity News/Facebook Phishing Campaign Leverages Google AppSheet, Netlify, Telegram
CyberSecurity News

Facebook Phishing Campaign Leverages Google AppSheet, Netlify, Telegram

Key Takeaways A sophisticated phishing campaign, dubbed “AccountDumpling,” has compromised approximately 30,000 Facebook accounts globally. The attackers exploit legitimate services such...

Marcus Rodriguez
Marcus Rodriguez
May 2, 2026 4 Min Read
51 0

Key Takeaways

  • A sophisticated phishing campaign, dubbed “AccountDumpling,” has compromised approximately 30,000 Facebook accounts globally.
  • The attackers exploit legitimate services such as Google AppSheet, Netlify, and Telegram to bypass traditional email security measures and exfiltrate data.
  • The campaign, linked to a Vietnamese threat actor, utilizes multiple phishing clusters with varied social engineering tactics, primarily targeting Facebook Business accounts.
  • Stolen credentials and identity documents are monetized through illicit sales or by offering “recovery” services back to victims.

A global cybercrime operation, dubbed “AccountDumpling,” has successfully breached an estimated 30,000 Facebook accounts worldwide. This extensive credential theft campaign ingeniously abuses trusted platforms like Google AppSheet, Netlify, and Telegram to circumvent conventional email security defenses. The campaign, initially identified by Guardio Labs, has been linked to a Vietnamese threat actor and focuses on harvesting credentials and identity documents.

Table Of Content

  • Key Takeaways
  • Attack and Evasion Methodologies
  • Phishing Cluster Strategies
  • Attribution and Operational Security Failure
  • What You Should Do

By leveraging legitimate channels to deliver fully authenticated phishing lures, the attackers effectively bypass spam filters and security gateways. The stolen Facebook Business accounts are then either sold on illicit marketplaces or used to facilitate further fraudulent activities, including offering “recovery” services back to the original victims.

The core innovation of this operation lies in its ability to hijack platform trust rather than relying on domain spoofing. Threat actors utilize Google AppSheet, a legitimate no-code application development service, to dispatch malicious notifications. These emails originate directly from Google’s servers, appearing from [email protected], which ensures they pass all standard email authentication protocols such as SPF, DKIM, and DMARC. This tactic makes it extremely difficult for automated security systems and spam filters to flag the messages as malicious, forcing users to identify the deceptive content themselves.

Attack and Evasion Methodologies

The AccountDumpling operation is characterized by its modular structure, employing four distinct phishing clusters, each designed to exploit different psychological vulnerabilities in its targets.

Phishing Cluster Strategies

  • Policy Violation: These lures mimic official Facebook Help Center notifications, falsely threatening permanent account disablement. The phishing pages are hosted on Netlify and utilize HTTrack cloning artifacts, unique subdomains to evade blocklists, and serverless functions for data exfiltration.
  • Reward Promise: This cluster entices victims with invitations for Blue Badge verification or exclusive advertiser rewards. Pages are hosted on Vercel and feature Unicode obfuscation in preheaders, fake reCAPTCHA barriers, and live credential validation scripts.
  • Live Control: Urgent Meta notices are disguised as clean, single-image notifications, often delivered via Google Drive (Canva PDFs). This cluster employs WebSocket-based live phishing panels, allowing for real-time, human-in-the-loop interaction with victims.
  • Social Engineering: This involves fake senior job offers from prominent tech companies like Meta and Apple. Communication is often shifted to off-platform channels, leveraging Cyrillic homoglyphs in sender display names and gradually building trust through live conversations.

A critical component of the AccountDumpling operation is its reliance on Telegram bots for command-and-control and data exfiltration. Stolen data, including credentials, two-factor authentication codes, dates of birth, and government-issued identification photos, are immediately routed to private Telegram channels. Operators actively monitor these channels to validate the compromised data and execute account takeovers in real time. Analysis of the recovered bot infrastructure indicates approximately 30,000 victim records have been processed, with 68.6% of targeted individuals and businesses located in the United States.

Attribution and Operational Security Failure

Guardio Labs successfully traced the operation’s origins to a Vietnamese threat actor due to a critical operational security oversight. A Canva-generated PDF, used in the “Live Control” attack cluster, retained its author metadata, revealing the real name “PHẠM TÀI TÂN.” Investigators linked this name to a public business persona in Vietnam that openly advertises Facebook account recovery and security services. This discovery highlights a cyclical criminal economy where threat actors compromise valuable business assets, use them for fraudulent campaigns, and then attempt to sell “recovery” services back to their initial victims.

What You Should Do

  • Exercise Extreme Caution with Emails: Even if emails appear to come from a legitimate sender (e.g., Google, Facebook) and pass security checks, always scrutinize the content for suspicious requests, urgent threats, or promises that seem too good to be true.
  • Verify Links Independently: Before clicking any link, hover over it to check the URL. Better yet, navigate directly to the official website (e.g., Facebook, Meta) to log in or check notifications, rather than using links in emails.
  • Enable Multi-Factor Authentication (MFA): Implement strong MFA on all your online accounts, especially Facebook Business accounts. This adds an essential layer of security, making it harder for attackers to gain access even if they steal your password.
  • Educate Your Team: Regularly train employees on phishing awareness, emphasizing the tactics used in campaigns like AccountDumpling, which exploit trusted services.
  • Report Suspicious Activity: If you suspect a phishing attempt, report it to the platform provider (e.g., Facebook, Google) and your internal security team.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical cPanel Vulnerability Lets Attackers Compromise 44,000 Servers

Next Post

AiTM Phishing Attacks Target Microsoft 365, HubSpot, and Google Workspace

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us