Introduction
Cybercriminals are constantly finding innovative ways to bypass security measures and compromise online accounts. A newly uncovered campaign, tracked under the codename AccountDumpling, has been linked to a Vietnamese threat group that leveraged a legitimate Google service—Google AppSheet—as a phishing relay to target Facebook users. The operation resulted in the theft of approximately 30,000 Facebook accounts, which were then sold through an illicit storefront operated by the attackers.
The AccountDumpling Campaign
Security researchers at Guardio first identified this sophisticated phishing operation. The threat actors, believed to be based in Vietnam, used Google AppSheet—a no-code application development platform—as an intermediary to distribute malicious emails. By abusing a trusted Google service, the attackers were able to bypass many traditional email security filters, making their phishing attempts appear more legitimate to unsuspecting victims.
How the Phishing Relay Worked
Google AppSheet allows users to create custom applications that can send emails and collect data through forms. The attackers exploited this functionality by setting up AppSheet apps that sent automated phishing emails to potential victims. These emails typically contained urgent messages about account security issues, prompting recipients to click on a link that led to a fake Facebook login page. Once victims entered their credentials, the information was captured by the attackers.
The use of a legitimate platform like AppSheet made the phishing emails harder to detect because the emails were sent from Google’s infrastructure, and the links pointed to AppSheet-hosted pages. This technique, known as phishing relay, allowed the campaign to fly under the radar of many email security tools.
The Scale of the Attack: 30,000 Accounts Compromised
According to Guardio’s analysis, the campaign successfully compromised roughly 30,000 Facebook accounts. The attackers were methodical in their approach, targeting users primarily in English-speaking regions but also in other parts of the world. The stolen accounts included personal profiles, business pages, and even Facebook Ads accounts, which could be used for fraudulent advertising or further scams.
The scale of the compromise underscores the effectiveness of the phishing relay technique. By leveraging a trusted service, the attackers achieved a higher success rate compared to traditional phishing emails that rely on suspicious domains or attachments.
The Illicit Marketplace for Stolen Accounts
Once the accounts were compromised, the threat actors behind AccountDumpling didn’t stop at data theft. They set up an underground storefront where these accounts were offered for sale. Prices varied depending on the account’s value—accounts with many followers, verified pages, or access to Facebook Ads were sold at a premium. The sale of stolen accounts provides a lucrative revenue stream for cybercriminals, as buyers use them for spam campaigns, identity theft, or social engineering attacks.
The existence of such a marketplace highlights the secondary impact of phishing campaigns: even if victims recover their accounts, their personal data may already be circulating in the criminal underground.
Protecting Your Facebook Account from Similar Threats
While the AccountDumpling campaign was particularly sophisticated, users can take steps to safeguard their Facebook accounts against phishing attacks in general.
Enable Two-Factor Authentication (2FA)
Two-factor authentication adds an extra layer of security. Even if an attacker obtains your password, they won’t be able to log in without the second factor, such as a code sent to your phone or a hardware key.
Be Wary of Urgent Emails
Phishing emails often create a sense of urgency—claiming your account will be locked or suspicious activity detected. Always verify such claims by logging into Facebook directly through the official website or app, rather than clicking on links in emails.
Check the Sender’s Address
Even if an email appears to come from Facebook, examine the sender’s full email address. Official Facebook emails come from domains like @facebookmail.com or @fb.com. Any other domain is likely fake.
Use Browser Security Extensions
Many modern browsers and security extensions can detect known phishing sites. Consider using a reputable security solution that includes anti-phishing protection.
Report Suspicious Activity
If you suspect your account has been compromised, change your password immediately and report the incident to Facebook through their Help Center. You can also check recent login activity to identify unauthorized access.
Conclusion
The AccountDumpling campaign serves as a reminder that cybercriminals are constantly evolving their tactics. By abusing legitimate platforms like Google AppSheet, they can bypass traditional defenses and trick even cautious users. The theft of 30,000 Facebook accounts and their subsequent sale on an illicit marketplace demonstrates the growing sophistication of phishing operations. Staying vigilant and adopting robust security practices are essential to protecting your online identity.