Facebook Accounts Compromised via Google AppSheet Phishing

May 3, 2026 Faeem BLOGS 0

Overview Guardio researchers have uncovered a large‑scale phishing campaign, codenamed AccountDumpling, that abused Google AppSheet to relay phishing emails targeting Facebook Business account owners. The operation, linked to Vietnamese threat actors, compromised roughly 30,000 Facebook accounts, which were later resold through illicit marketplaces.

Attack Flow

  • Initial Lure: Phishing emails impersonating Meta Support, warning victims of account deletion unless they submitted an appeal.
  • Delivery Method: Emails sent from noreply@appsheet.com, leveraging Google’s trusted infrastructure to bypass spam filters.
  • Credential Harvesting: Victims redirected to fake Meta pages designed to steal login credentials, 2FA codes, and personal data.
  • Commercial Loop: Stolen accounts resold via underground storefronts, fueling a criminal ecosystem around Facebook assets.

Phishing Clusters Identified

  1. Netlify Pages: Fake Facebook help centers collecting DOBs, phone numbers, and ID photos, exfiltrated to Telegram.
  2. Blue Badge Lures: Vercel‑hosted “Security Check” pages gated by bogus CAPTCHAs, harvesting credentials and 2FA codes.
  3. Google Drive PDFs: Canva‑generated documents directing victims to phishing sites that captured passwords, IDs, and browser screenshots.
  4. Fake Job Offers: Impersonating brands like Meta, WhatsApp, Adobe, and Apple to build trust before redirecting victims.

Victim Impact

  • Scale: ~30,000 accounts compromised.
  • Geography: Victims located in the U.S., Italy, Canada, Philippines, India, Spain, Australia, U.K., Brazil, and Mexico.
  • Outcome: Accounts locked, reputations damaged, and business identities commoditized.

Defensive Guidance

  • Verify Sender Domains: Be cautious of emails from unexpected sources, even trusted platforms like Google AppSheet.
  • Enable Strong 2FA: Use hardware keys or app‑based authenticators instead of SMS.
  • Educate Teams: Train staff to recognize Meta‑related phishing lures (account disablement, copyright complaints, badge evaluations).
  • Monitor for Account Recovery Abuse: Criminals often recycle stolen accounts through recovery scams.
  • Report Suspicious Pages: Flag phishing sites hosted on Netlify, Vercel, or Google Drive to providers for takedown.

Final Thought

AccountDumpling illustrates how trusted platforms can be weaponized as phishing relays, bypassing traditional defenses. For businesses, especially those reliant on Facebook for marketing and engagement, vigilance is critical. The campaign shows that account access, business identity, and ad reputation are now tradable commodities in underground markets — making proactive defense and rapid response essential.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.