A sophisticated phishing campaign, codenamed AccountDumpling, has successfully compromised approximately 30,000 Facebook accounts globally. This operation, linked to Vietnamese threat actors, leverages Google AppSheet to distribute malicious emails that bypass spam filters, impersonating Meta Support to trick users into revealing their credentials. The stolen accounts are then sold on illicit marketplaces, highlighting a concerning trend of trusted platforms being repurposed for criminal activities.

Key Takeaways

• A Vietnamese-linked operation, AccountDumpling, has compromised around 30,000 Facebook accounts.

• Google AppSheet is used as a "phishing relay" to send emails from legitimate Google addresses, bypassing spam filters.

• The campaign employs various lures, including fake account disablement warnings, copyright complaints, and blue badge verification offers.

• Stolen data, including credentials and 2FA codes, is exfiltrated to Telegram channels.

• Evidence points to a Vietnamese individual named PHẠM TÀI TÂN as being behind the operation.

The AccountDumpling Campaign

The AccountDumpling operation targets Facebook Business account owners with emails designed to create a sense of urgency. These messages falsely claim to be from Meta Support, warning users of potential account deletion or other penalties unless they take immediate action. By using a Google AppSheet address, the phishing emails appear legitimate and evade standard spam detection mechanisms.

Deceptive Tactics and Attack Clusters

Researchers have identified several distinct methods employed by the threat actors:

• Netlify-Hosted Clones: Attackers create fake Facebook Help Center pages hosted on Netlify, designed to steal login credentials, personal information, and even photos of government-issued IDs.

• Blue Badge Lures: Victims are enticed with fake offers of Facebook's blue badge verification. These pages, often hosted on Vercel, use deceptive tactics like bogus CAPTCHA checks before leading users to phishing landing pages.

• Google Drive PDFs: Malicious PDFs hosted on Google Drive masquerade as account verification instructions. These documents, generated using Canva, contain links that direct users to phishing sites where passwords, 2FA codes, and other sensitive data are harvested.

• Fake Job Offers: Some lures involve impersonating well-known companies like WhatsApp, Meta, Adobe, and Apple, offering fake job opportunities to build rapport and steer victims towards attacker-controlled platforms.

Attribution and Monetization

Evidence, including metadata from files created during the campaign, points towards a Vietnamese individual named PHẠM TÀI TÂN. The operation appears to be a well-oiled machine, with stolen accounts being sold on underground markets. This criminal-commercial loop transforms compromised digital assets into tradable commodities, including account access, business identity, and ad reputation.

The campaign's reach is global, with victims identified in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico. The misuse of trusted platforms like Google AppSheet, Netlify, Vercel, Google Drive, Canva, and Telegram underscores the evolving tactics of cybercriminals.

Sources

• 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign, The Hacker News.

• Vietnamese operation uses Google AppSheet for Facebook phishing, targets 30,000 accounts | brief, SC Media.

• Google AppSheet Exploited in 30,000-User Facebook Phishing Operation, Hackread.

• How AppSheet Phishing Put 30,000 Facebook Accounts at Risk, Analytics Insight.

• New Facebook blue tick scam compromises 30,000 accounts, https://www.varindia.com/.