Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign

Cyber Security

A sophisticated cybercriminal operation dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts worldwide.

Discovered by Guardio Labs, this Vietnamese-linked campaign abuses Google’s AppSheet platform to bypass traditional email security filters.

By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials and identity documents. These stolen Facebook Business accounts are subsequently monetized or resold back to victims through an illicit storefront.

The foundation of this campaign relies on hijacking platform trust rather than spoofing domains. The threat actors use Google AppSheet, a legitimate no-code app-building service, to distribute malicious notifications.

Email phishing (Source: Guard Labs)

Because these emails are sent directly from Google servers using the address noreply@appsheet.com, they easily pass SPF, DKIM, and DMARC authentication checks.

Account Dumpling (Source: Guard Labs)
Account Dumpling (Source: Guard Labs)

Security defenders and spam filters consistently wave these messages through since Google genuinely owns the sending infrastructure. This forces victims to rely entirely on identifying the deceptive content within the message itself.

Attack and Evasion Methodologies

The operation is highly modular, employing four distinct phishing clusters to target victims based on different psychological triggers.

Cluster Type Lure Strategy Hosting Platform Technical Features
Policy Violation Fake Facebook Help Center notices threatening permanent account disablement  Netlify  HTTrack cloning artifacts, unique subdomains to evade blocklists, serverless functions for data exfiltration 
Reward Promise Invitations for Blue Badge verification or exclusive advertiser rewards  Vercel  Unicode obfuscation in preheaders, fake reCAPTCHA barriers, live credential validation scripts 
Live Control Urgent Meta notices disguised as a clean, single-image notification  Google Drive (Canva PDFs)  WebSocket-based live phishing panels enabling real-time, human-in-the-loop interaction 
Social Engineering Fake senior job offers from prominent tech companies like Meta and Apple  Off-platform communication channels  Cyrillic homoglyphs in sender display names, pivoting to live conversations to slowly build trust 

Behind the sophisticated front-end lures, the AccountDumpling operation relies entirely on Telegram bots for its command-and-control exfiltration.

Telegram Phishing Campaign(Source: Guard Labs)
Telegram Phishing Campaign(Source: Guard Labs)

Stolen credentials, two-factor authentication codes, dates of birth, and government-issued ID photos are instantly routed to private Telegram channels.

Operators actively monitor these streams to validate the stolen data and execute account takeovers in real time. Telemetry from the recovered bot infrastructure indicates roughly 30,000 victim records have been processed.

Geographic analysis reveals that 68.6 percent of the targeted individuals and businesses are located in the United States.

Canva Generated Phishing (Source: Guard Labs)
Canva Generated Phishing (Source: Guard Labs)

Guardio Labs successfully traced the core of the operation to a Vietnamese threat actor through a critical operational security failure.

Phishing Campaign (Source: guardLabs)
Phishing Campaign (Source: guardLabs)

A Canva-generated PDF used in the third attack cluster retained its author metadata, exposing the real name “PHẠM TÀI TÂN”. Investigators connected this name to a public business persona in Vietnam that actively advertises Facebook account recovery and security services.

This reveals a circular criminal economy in which attackers steal valuable business assets, use them to run fraudulent campaigns, and then attempt to sell recovery services back to the original victims.