The AccountDumpling Campaign
Security researchers at Guardio have uncovered a sophisticated phishing operation, codenamed AccountDumpling, that has compromised approximately 30,000 Facebook accounts. The campaign, linked to a Vietnamese threat actor, leverages a novel technique: using Google's own AppSheet platform as a phishing relay to distribute malicious emails.
How the Google AppSheet Phishing Relay Works
Unlike traditional phishing attacks that rely on fake login pages, this scheme abuses Google AppSheet—a no-code app builder—to create legitimate-looking forms and notifications. Victims receive emails that appear to come from trusted sources, often prompting them to verify their Facebook accounts or resolve security issues. The emails contain links that open AppSheet-hosted pages, which collect login credentials and two-factor authentication codes.
Because AppSheet is a Google service, the emails bypass many spam filters and carry a higher trust factor. Once the victim enters their information, it is relayed in real-time to the attackers, who then hijack the Facebook account.
The Relay Mechanism
Guardio's analysis shows that the attackers designed AppSheet workflows that act as intermediaries. The form submissions are forwarded to a command-and-control server, while the victim sees a benign confirmation message. This approach makes the phishing activity harder to detect than traditional methods.
The Stolen Account Marketplace
Compromised Facebook accounts are not just used for spam or fraud—they are sold on an illicit storefront run by the same threat actors. The 'AccountDumpling' marketplace offers bulk accounts for prices ranging from a few cents to several dollars, depending on account age, friend count, and activity level. Researchers found evidence of over 30,000 accounts being offered for sale, with some resold multiple times.
Buyers use these accounts for malicious activities including:
- Disseminating fake news and disinformation
- Running ad fraud campaigns
- Launching further social engineering attacks on the victim's contacts
- Boosting engagement metrics for clients
Impact and Recommendations
With 30,000 accounts compromised, the operation represents a significant threat to Facebook users globally. The use of Google AppSheet as a vector is particularly concerning because it exploits trust in Google's brand.
To protect against such attacks, users are advised to:
- Enable two-factor authentication (2FA) using authenticator apps rather than SMS.
- Scrutinize email senders and hover over links before clicking—even if they appear legitimate.
- Use password managers that can detect phishing sites by checking URLs.
- Regularly review active sessions and authorized apps in Facebook's security settings.
Organizations should also train employees to recognize advanced phishing techniques that abuse trusted platforms. Google has been notified by Guardio, and AppSheet's trust and safety team is reportedly investigating the abuse.
Conclusion
The AccountDumpling campaign underscores the evolving nature of phishing attacks. By weaponizing a legitimate Google service, the Vietnamese-linked group managed to steal tens of thousands of accounts before being discovered. Users and platforms alike must remain vigilant against such creative exploitation.