30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign: Inside the “AccountDumpling” Cybercrime Operation
A sophisticated phishing campaign dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts worldwide, leveraging Google AppSheet as a deceptive relay platform. The operation, linked to Vietnamese threat actors, demonstrates an evolution in phishing tactics—combining legitimate cloud services, multi-platform hosting, and real-time data exfiltration to bypass traditional defenses.
How the Attack Works
The attackers exploit trust in well-known platforms by sending emails masquerading as Meta Support notifications. These emails are routed through Google AppSheet, making them appear legitimate and reducing the likelihood of detection by spam filters.
Victims are directed to phishing pages hosted across multiple platforms, including:
- Netlify
- Vercel
- Google Drive
- Canva
This multi-platform approach ensures redundancy and resilience—if one phishing page is taken down, others remain active.
Credential Harvesting at Scale
Once victims land on the phishing page, they are prompted to enter sensitive information under the guise of account verification or policy compliance. The data collected includes:
- Facebook usernames and passwords
- Two-Factor Authentication (2FA) codes
- Government-issued ID photos
- Email addresses and phone numbers
The inclusion of real-time 2FA interception is particularly dangerous, enabling attackers to bypass an otherwise strong security layer.
Telegram-Based Data Exfiltration
Stolen credentials are immediately transmitted to attacker-controlled Telegram channels, where they are categorized, stored, and often sold on underground markets.
Telegram’s encrypted and anonymous infrastructure makes it a preferred platform for cybercriminal operations, enabling rapid monetization of compromised accounts.
Why Google AppSheet Was Used
Google AppSheet, a no-code development platform, is typically used for business automation. However, attackers leveraged it as a phishing relay to:
- Bypass email security filters
- Appear as a trusted Google-originated message
- Automate phishing workflows
This tactic highlights a growing trend where attackers abuse legitimate SaaS tools rather than relying solely on malicious infrastructure.
Impact and Scale
The campaign has impacted users globally, with an estimated:
- 30,000+ Facebook accounts compromised
- Multiple phishing domains active simultaneously
- High success rate due to trusted platform abuse
Many compromised accounts are later used for:
- Running scam advertisements
- Spreading further phishing links
- Financial fraud and impersonation
Key Indicators of Compromise (IoCs)
- Emails claiming urgent Meta policy violations
- Links hosted on legitimate platforms (Netlify, Vercel, etc.)
- Requests for 2FA codes or ID verification
- Redirect chains involving Google AppSheet URLs
Mitigation and Prevention
To protect against such campaigns, users and organizations should:
- Verify all Meta communications through official channels
- Avoid clicking on links in unsolicited emails
- Enable app-based 2FA instead of SMS
- Use phishing-resistant authentication methods (e.g., security keys)
- Monitor account activity for unusual behavior
The Bigger Picture
The AccountDumpling campaign underscores a significant shift in cybercrime tactics—moving from traditional malicious infrastructure to abuse of trusted ecosystems. By leveraging platforms like Google AppSheet, attackers increase credibility and evade detection, making phishing campaigns more effective than ever.
As cloud services continue to expand, security teams must adapt to this evolving threat landscape, focusing not just on blocking malicious domains but also on monitoring abuse of legitimate platforms.
NeuraCyb's Assessment
The AccountDumpling operation represents a next-generation phishing ecosystem that blends social engineering with cloud platform abuse. Its success lies in exploiting user trust in globally recognized services like Google and Meta.
From a defensive standpoint, this campaign highlights the urgent need for:
- Enhanced detection of SaaS abuse patterns
- Behavior-based phishing identification
- User awareness around “trusted platform” attacks
If left unchecked, such campaigns could scale beyond social media into enterprise SaaS environments, posing significant risks to organizations worldwide.
Reference Links and Sources
