30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign
A Vietnamese-linked phishing campaign dubbed AccountDumpling has compromised roughly 30,000 Facebook accounts using Google AppSheet as a relay to bypass spam filters.
Security researchers at Guardio have uncovered a large-scale phishing operation, codenamed AccountDumpling, that has compromised an estimated 30,000 Facebook accounts. The campaign, linked to a Vietnamese threat actor, leverages Google AppSheet as a phishing relay to distribute convincing emails that bypass traditional spam filters. The stolen accounts are then sold through an illicit storefront, creating a criminal-commercial loop that feeds on the same accounts it helps steal.
The attack begins with a phishing email targeting Facebook Business account owners. The emails claim to be from Meta Support and urge recipients to submit an appeal or risk permanent account deletion. Crucially, these emails are sent from a legitimate Google AppSheet address (noreply@appsheet.com), allowing them to evade spam filters and reach victims' inboxes. The false sense of urgency directs users to fake web pages designed to harvest their credentials.
Guardio identified four main clusters within the campaign. The first uses Netlify-hosted Facebook help center pages to enable account takeover attacks, collecting dates of birth, phone numbers, and government-issued ID photos. The second cluster employs Vercel-hosted 'Security Check' or 'Meta | Privacy Center' pages gated by a bogus CAPTCHA check before directing users to phishing landing pages that collect contact details, business information, credentials, and two-factor authentication (2FA) codes. The third cluster uses Google Drive-hosted PDFs masquerading as account verification instructions, which collect passwords, 2FA codes, government ID photos, and browser screenshots. The fourth cluster involves fake job offers impersonating companies like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport and direct victims to attacker-controlled sites.
Cumulatively, the Telegram channels associated with the first three clusters have been found to hold about 30,000 victim records. Most victims are located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico, and have been locked out of their own accounts. The stolen data is exfiltrated to attacker-controlled Telegram channels, where it is used to sell the compromised accounts back to victims or other criminals.
The threat actor behind the operation was identified through metadata in PDFs generated using a free Canva account. The metadata listed a Vietnamese name, PHẠM TÀI TÂN, as the files' author. Further open-source intelligence led to the discovery of a website (phamtaitan.vn) where the individual offers digital marketing services. In a post shared on X in February 2023, the website's handle said it 'specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies.'
Guardio's security researcher Shaked Chen noted that the campaign is 'bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities.' The findings highlight how Vietnamese threat actors continue to embrace various tactics to gain unauthorized access to victims' Facebook accounts, which are then sold on underground ecosystems for monetary gain.
The campaign underscores the growing sophistication of phishing operations that abuse trusted platforms like Google AppSheet, Netlify, Vercel, and Google Drive to evade detection. Organizations and individuals are advised to remain vigilant against unsolicited emails claiming to be from Meta Support and to verify any account-related communications through official channels.