#socialengineering

A newly discovered Vietnamese-linked operation has been observed using Google AppSheet as a "phishing relay" to distribute phishing emails with the aim of compromising Facebook accounts. The activity, codenamed AccountDumpling by Guardio, has resulted in approximately 30,000 Facebook accounts being hacked and sold through an illicit storefront run by the threat actors.

The Attack Vector

The campaign begins with phishing emails targeting Facebook Business account owners. These emails claim to be from Meta Support and urge recipients to submit an appeal or risk permanent account deletion. The critical evasion technique: the emails are sent from a Google AppSheet address ([email protected]), allowing them to bypass spam filters and gain immediate trust from recipients.

This false sense of urgency directs users to fake web pages designed to harvest their credentials. What researchers discovered wasn't a single phishing kit, but a living operation with real-time operator panels, advanced evasion techniques, continuous evolution, and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.

Four Main Attack Clusters

Guardio identified four distinct clusters in this campaign:

1. Netlify-Hosted Help Center Pages

Fake Facebook help center pages hosted on Netlify enable full account takeover attacks. These pages collect:

- Login credentials - Dates of birth - Phone numbers - Government-issued ID photos

All harvested data is forwarded to an attacker-controlled Telegram channel.

2. Blue Badge Evaluation Lures

Victims are guided to Vercel-hosted "Security Check" or "Meta | Privacy Center" pages gated by a bogus CAPTCHA check. After passing the fake verification, users are directed to phishing landing pages that collect:

- Contact details and business information - Credentials (after forced retry attempts) - Two-factor authentication (2FA) codes

Data is exfiltrated to Telegram channels in real-time.

3. Google Drive-Hosted PDFs

PDF documents masquerading as account verification instructions are hosted on Google Drive. These PDFs are generated using free Canva accounts and direct users to pages that collect:

- Passwords and 2FA codes - Government ID photos - Browser screenshots (via html2canvas) 4. Fake Job Offers

The operation impersonates major companies including WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport with recipients. Victims are asked to join calls or continue discussions on attacker-controlled sites, where credentials are harvested.

Geographic Distribution

The Telegram channels associated with the first three clusters hold about 30,000 victim records. Affected users are primarily located in:

- United States - Italy - Canada - Philippines - India - Spain - Australia - United Kingdom - Brazil - Mexico

Most victims have been locked out of their own accounts following the compromise.

Attribution: Vietnamese Threat Actors

The smoking gun evidence came from PDFs generated using free Canva accounts. Metadata analysis revealed a Vietnamese name "PHẠM TÀI TÂN" as the files' author. Open-source intelligence led to the discovery of a website (phamtaitanvn) offering digital marketing services.

The website's X (Twitter) handle stated in February 2023 that it "specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies." This suggests the operation may have evolved from legitimate digital marketing into cybercriminal activity.

Why This Matters

This campaign represents a sophisticated evolution in phishing tactics:

- Trusted Platform Abuse: Using Google AppSheet for email delivery exploits the trust associated with legitimate Google domains, bypassing traditional spam filters - Multi-Layer Infrastructure: The operation uses Netlify, Vercel, Google Drive, and Canva—making takedown efforts complex and time-consuming - Real-Time Exfiltration: Data flows directly to Telegram channels, enabling immediate account takeover and resale - Commercial Criminal Loop: The same actors steal accounts and sell them back, creating a self-sustaining black market - Scale and Impact: 30,000 compromised business accounts represent significant financial and reputational damage

Protection Measures

For Facebook Business Users:

- Verify sender addresses carefully—even "trusted" domains like appsheet.com can be abused - Never click urgent account-related links in emails; navigate directly to facebook.com - Enable hardware-based 2FA (FIDO2 security keys) instead of SMS or app-based codes - Review active sessions and authorized apps regularly - Be skeptical of unsolicited job offers, even from well-known brands

For Organizations:

- Implement DMARC, SPF, and DKIM email authentication - Train employees to recognize phishing lures beyond traditional indicators - Monitor for suspicious login activity on business accounts - Use Facebook Business Manager's security features and alerts - Report suspicious emails to Meta and Google abuse teams

Broader Implications

This campaign is bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. The pattern keeps surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers.

Threat actors are abusing Apple’s own email system to deliver phishing messages that pass authentication checks, tricking users into calling scam numbers and exposing sensitive data.

Source: BleepingComputer

Dutch intelligence has blown the lid off a Russian state campaign that's quietly seizing Signal and WhatsApp accounts from government officials and military personnel by weaponising the apps' own legitimate features against their users.

Source: AIVD