30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign
A newly discovered Vietnamese-linked operation has been observed using Google AppSheet as a "phishing relay" to distribute phishing emails with the aim of compromising Facebook accounts. The activity, codenamed AccountDumpling by Guardio, has resulted in approximately 30,000 Facebook accounts being hacked and sold through an illicit storefront run by the threat actors.
The Attack Vector
The campaign begins with phishing emails targeting Facebook Business account owners. These emails claim to be from Meta Support and urge recipients to submit an appeal or risk permanent account deletion. The critical evasion technique: the emails are sent from a Google AppSheet address ([email protected]), allowing them to bypass spam filters and gain immediate trust from recipients.
This false sense of urgency directs users to fake web pages designed to harvest their credentials. What researchers discovered wasn't a single phishing kit, but a living operation with real-time operator panels, advanced evasion techniques, continuous evolution, and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.
Four Main Attack Clusters
Guardio identified four distinct clusters in this campaign:
1. Netlify-Hosted Help Center Pages
Fake Facebook help center pages hosted on Netlify enable full account takeover attacks. These pages collect:
- Login credentials - Dates of birth - Phone numbers - Government-issued ID photos
All harvested data is forwarded to an attacker-controlled Telegram channel.
2. Blue Badge Evaluation Lures
Victims are guided to Vercel-hosted "Security Check" or "Meta | Privacy Center" pages gated by a bogus CAPTCHA check. After passing the fake verification, users are directed to phishing landing pages that collect:
- Contact details and business information - Credentials (after forced retry attempts) - Two-factor authentication (2FA) codes
Data is exfiltrated to Telegram channels in real-time.
3. Google Drive-Hosted PDFs
PDF documents masquerading as account verification instructions are hosted on Google Drive. These PDFs are generated using free Canva accounts and direct users to pages that collect:
- Passwords and 2FA codes - Government ID photos - Browser screenshots (via html2canvas) 4. Fake Job Offers
The operation impersonates major companies including WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport with recipients. Victims are asked to join calls or continue discussions on attacker-controlled sites, where credentials are harvested.
Geographic Distribution
The Telegram channels associated with the first three clusters hold about 30,000 victim records. Affected users are primarily located in:
- United States - Italy - Canada - Philippines - India - Spain - Australia - United Kingdom - Brazil - Mexico
Most victims have been locked out of their own accounts following the compromise.
Attribution: Vietnamese Threat Actors
The smoking gun evidence came from PDFs generated using free Canva accounts. Metadata analysis revealed a Vietnamese name "PHẠM TÀI TÂN" as the files' author. Open-source intelligence led to the discovery of a website (phamtaitanvn) offering digital marketing services.
The website's X (Twitter) handle stated in February 2023 that it "specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies." This suggests the operation may have evolved from legitimate digital marketing into cybercriminal activity.
Why This Matters
This campaign represents a sophisticated evolution in phishing tactics:
- Trusted Platform Abuse: Using Google AppSheet for email delivery exploits the trust associated with legitimate Google domains, bypassing traditional spam filters - Multi-Layer Infrastructure: The operation uses Netlify, Vercel, Google Drive, and Canva—making takedown efforts complex and time-consuming - Real-Time Exfiltration: Data flows directly to Telegram channels, enabling immediate account takeover and resale - Commercial Criminal Loop: The same actors steal accounts and sell them back, creating a self-sustaining black market - Scale and Impact: 30,000 compromised business accounts represent significant financial and reputational damage
Protection Measures
For Facebook Business Users:
- Verify sender addresses carefully—even "trusted" domains like appsheet.com can be abused - Never click urgent account-related links in emails; navigate directly to facebook.com - Enable hardware-based 2FA (FIDO2 security keys) instead of SMS or app-based codes - Review active sessions and authorized apps regularly - Be skeptical of unsolicited job offers, even from well-known brands
For Organizations:
- Implement DMARC, SPF, and DKIM email authentication - Train employees to recognize phishing lures beyond traditional indicators - Monitor for suspicious login activity on business accounts - Use Facebook Business Manager's security features and alerts - Report suspicious emails to Meta and Google abuse teams
Broader Implications
This campaign is bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. The pattern keeps surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers.
Vietnamese threat actors have continued to embrace various tactics to gain unauthorized access to Facebook accounts, which are then sold on underground ecosystems for monetary gain. This operation demonstrates how cybercriminal groups are industrializing phishing operations with commercial-grade infrastructure and real-time operational oversight.