Ethical Hacking News
A massive Vietnamese-linked operation has exploited Google AppSheet to hack 30,000 Facebook accounts, with the scheme selling stolen accounts on illicit storefronts. The campaign is part of a larger pattern of phishing attacks targeting business owners on Facebook, emphasizing the need for vigilance in cybersecurity.
The "AccountDumpling" phishing campaign exploits Google AppSheet as a phishing relay to distribute phishing emails. Vietnamese threat actors use various tactics, including spoofed emails and fake job offers, to gain unauthorized access to victims' Facebook accounts. A Google AppSheet serves as the phishing relay, allowing attackers to bypass spam filters and increase successful phishing attempts. Four main clusters of attacks were identified, including account takeover, CAPTCHA evasion, PDF phishing, and job offer lures. Roughly 30,000 Facebook accounts are estimated to have been hacked as part of this operation.
The recent discovery of a sophisticated phishing campaign linked to a Vietnamese operation has shed light on the alarming methods used by threat actors to compromise the security of Facebook accounts. According to researchers, this campaign, codenamed "AccountDumpling" by Guardio, exploits Google AppSheet as a "phishing relay" to distribute phishing emails with the aim of obtaining access to sensitive information and ultimately selling the compromised accounts on illicit storefronts.
The operation appears to be part of a larger scheme where Vietnamese threat actors have been observed using various tactics to gain unauthorized access to victims' Facebook accounts. These tactics range from spoofed emails claiming to be from Meta Support to fake job offers impersonating companies like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola.
At the heart of this operation is a Google AppSheet, which serves as a phishing relay to direct users to a fake web page designed to harvest their credentials. The use of a Google AppSheet as a phishing relay allows the attackers to bypass spam filters and increase the likelihood of successful phishing attempts.
Researchers have identified four main clusters in the campaign:
1. Netlify-hosted Facebook help center pages that enable account takeover attacks, in addition to collecting dates of birth, phone numbers, and government-issued ID photos.
2. Blue badge evaluation lures that guide victims to Vercel-hosted "Security Check" or "Meta | Privacy Center" pages that are gated by a bogus CAPTCHA check before directing users to the phishing landing page to collect contact details, business information, credentials (after a forced retry), and two-factor authentication (2FA) codes and exfiltrate them to a Telegram channel.
3. Google Drive-hosted PDFs masquerading as instructions to complete account verification to direct users to collect passwords, 2FA codes, government ID photos, and browser screenshots through html2canvas. The PDF documents are generated using a free Canva account.
4. Fake job offers that impersonate companies like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport with the recipients and ask them to join a call or continue the discussion on attacker-controlled sites.
According to security researcher Shaked Chen, "What we found wasn't a single phishing kit. It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back." This revelation highlights the complexity and sophistication of the Vietnamese threat actors' tactics, making them a significant concern for cybersecurity experts.
The campaign's scope is also noteworthy. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of this operation. This number underscores the potential scale of the damage caused by phishing campaigns, emphasizing the importance of vigilance and proactive measures in protecting user security.
In recent months, there has been a notable increase in phishing campaigns targeting business owners on Facebook. These campaigns often claim to be from Meta Support or other reputable sources, urging users to submit an appeal to avoid account deletion. The emails are sent from a Google AppSheet address ("noreply@appsheet.com"), allowing them to bypass spam filters.
The use of such tactics is not new, but the sophistication and scale of this particular operation suggest that Vietnamese threat actors have adapted their strategies to evade detection and maximize success. As cybersecurity experts continue to monitor these campaigns, it becomes increasingly evident that vigilance is key in preventing phishing attacks.
The AccountDumpling campaign serves as a stark reminder of the risks associated with phishing attacks and highlights the importance of staying informed about emerging threats. By understanding the tactics used by threat actors and staying up-to-date on cybersecurity best practices, individuals can better protect themselves against such operations.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Massive-Vietnamese-Linked-Operation-Exploits-Google-AppSheet-to-Hack-30000-Facebook-Accounts-ehn.shtml
https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
Published: Fri May 1 14:43:59 2026 by llama3.2 3B Q4_K_M
