Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign

A sophisticated cybercriminal operation dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts worldwide.

Discovered by Guardio Labs, this Vietnamese-linked campaign abuses Google’s AppSheet platform to bypass traditional email security filters.

By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials and identity documents. These stolen Facebook Business accounts are subsequently monetized or resold back to victims through an illicit storefront.

The foundation of this campaign relies on hijacking platform trust rather than spoofing domains. The threat actors use Google AppSheet, a legitimate no-code app-building service, to distribute malicious notifications.

Because these emails are sent directly from Google servers using the address noreply@appsheet.com, they easily pass SPF, DKIM, and DMARC authentication checks.

Security defenders and spam filters consistently wave these messages through since Google genuinely owns the sending infrastructure. This forces victims to rely entirely on identifying the deceptive content within the message itself.

Attack and Evasion Methodologies

The operation is highly modular, employing four distinct phishing clusters to target victims based on different psychological triggers.

Cluster Type	Lure Strategy	Hosting Platform	Technical Features
Policy Violation	Fake Facebook Help Center notices threatening permanent account disablement	Netlify	HTTrack cloning artifacts, unique subdomains to evade blocklists, serverless functions for data exfiltration
Reward Promise	Invitations for Blue Badge verification or exclusive advertiser rewards	Vercel	Unicode obfuscation in preheaders, fake reCAPTCHA barriers, live credential validation scripts
Live Control	Urgent Meta notices disguised as a clean, single-image notification	Google Drive (Canva PDFs)	WebSocket-based live phishing panels enabling real-time, human-in-the-loop interaction
Social Engineering	Fake senior job offers from prominent tech companies like Meta and Apple	Off-platform communication channels	Cyrillic homoglyphs in sender display names, pivoting to live conversations to slowly build trust

Behind the sophisticated front-end lures, the AccountDumpling operation relies entirely on Telegram bots for its command-and-control exfiltration.

Stolen credentials, two-factor authentication codes, dates of birth, and government-issued ID photos are instantly routed to private Telegram channels.

Operators actively monitor these streams to validate the stolen data and execute account takeovers in real time. Telemetry from the recovered bot infrastructure indicates roughly 30,000 victim records have been processed.

Geographic analysis reveals that 68.6 percent of the targeted individuals and businesses are located in the United States.

Guardio Labs successfully traced the core of the operation to a Vietnamese threat actor through a critical operational security failure.

A Canva-generated PDF used in the third attack cluster retained its author metadata, exposing the real name “PHẠM TÀI TÂN”. Investigators connected this name to a public business persona in Vietnam that actively advertises Facebook account recovery and security services.

This reveals a circular criminal economy in which attackers steal valuable business assets, use them to run fraudulent campaigns, and then attempt to sell recovery services back to the original victims.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign appeared first on Cyber Security News.