A newly identified phishing campaign has resulted in the compromise of around 30,000 Facebook accounts, primarily targeting Business account owners. This operation, linked to Vietnamese threat actors and codenamed AccountDumpling by Guardio, employs Google AppSheet as a platform to send phishing emails.
Phishing Methodology
The phishing emails are disguised as communications from Meta Support, urging recipients to submit appeals to avoid permanent account deletion. These messages originate from a Google AppSheet address, specifically noreply@appsheet.com, which helps them evade spam filters. This tactic creates a false sense of urgency, directing users to a fraudulent webpage designed to capture their login credentials.
Campaign Evolution
Security researcher Shaked Chen noted that the operation is not static; it features real-time operator panels and advanced evasion techniques. The campaign has evolved to include various lures aimed at inducing panic among users regarding their accounts. These include claims of account disablement, copyright complaints, and verification reviews.
Data Collection Techniques
Guardio identified four main clusters of phishing tactics used in this campaign:
1. **Netlify-hosted pages** that facilitate account takeovers while collecting sensitive information such as dates of birth and government-issued ID photos, which are sent to an attacker-controlled Telegram channel.
2. **Blue badge evaluation lures** that lead victims to fake security checks, ultimately directing them to phishing sites to collect various personal and account-related information.
3. **Google Drive-hosted PDFs** that masquerade as account verification instructions, designed to extract passwords and two-factor authentication codes.
4. **Fake job offers** impersonating well-known companies to build rapport with potential victims.
Impact and Attribution
The Telegram channels associated with these phishing clusters reportedly contain records of about 30,000 victims, primarily from the U.S., Italy, Canada, and several other countries. Evidence linking the operation to Vietnamese actors includes metadata from the fraudulent PDFs, which identified a Vietnamese name, PHẠM TÀI TÂN, as the author. Additionally, an associated website offers digital marketing services, further corroborating the operation’s origins.
Chen emphasized that this campaign reflects a broader trend of utilizing trusted platforms for malicious purposes, indicating a significant underground market for stolen Facebook accounts.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
