A newly found Vietnamese-linked operation has been noticed utilizing a Google AppSheet as a “phishing relay” to distribute phishing emails with an intention to compromise Fb accounts.
The exercise has been codenamed AccountDumpling by Guardio, with the scheme promoting the stolen accounts again via a bootleg storefront run by the risk actors. In all, roughly 30,000 Fb accounts are estimated to have been hacked as a part of the marketing campaign.
“What we discovered wasn’t a single phishing equipment,” security researcher Shaked Chen wrote in a report shared with The Hacker Information. “It was a dwelling operation with real-time operator panels, superior evasion, steady evolution and a criminal-commercial loop that quietly feeds on the identical accounts it helps steal again.”
The findings are simply the newest instance of how Vietnamese risk actors proceed to embrace numerous techniques to achieve unauthorized entry to victims’ Fb accounts, that are then bought on underground ecosystems for financial achieve.
The place to begin of the newest assaults is a phishing e-mail focusing on Fb Enterprise account homeowners, claiming to be from Meta Help and urging them to submit an attraction, or threat getting their account completely deleted. The emails are despatched from a Google AppSheet handle (“noreply@appsheet.com”), permitting them to bypass spam filters.
This false sense of urgency is used to direct customers to a faux internet web page designed to reap their credentials. It is value noting {that a} related marketing campaign was reported by KnowBe4 in Might 2025.
Over the previous few weeks, these campaigns have adopted numerous sorts of lures designed to induce a “Meta-related panic.” These vary from account disablement and copyright complaints to verification assessment, government recruitment, and Fb login alerts. The 4 primary clusters recognized by Guardio are listed under –
- Netlify-hosted Fb assist heart pages that allow account takeover assaults, along with amassing dates of delivery, cellphone numbers, and government-issued ID pictures. The information is finally forwarded to an attacker-controlled Telegram channel.
- Blue badge analysis lures that information victims to Vercel-hosted “Safety Test” or “Meta | Privateness Heart” pages which might be gated by a bogus CAPTCHA examine earlier than directing customers to the phishing touchdown web page to gather contact particulars, enterprise info, credentials (after a pressured retry), and two-factor authentication (2FA) codes and exfiltrate them to a Telegram channel.
- Google Drive-hosted PDFs masquerading as directions to finish account verification to direct customers to gather passwords, 2FA codes, authorities ID pictures, and browser screenshots via html2canvas. The PDF paperwork are generated utilizing a free Canva account.
- Faux job affords that impersonate firms like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to construct rapport with the recipients and ask them to hitch a name or proceed the dialogue on attacker-controlled websites.
Cumulatively, the Telegram channels related to the primary three clusters have been discovered to carry about 30,000 sufferer information, most of whom are situated within the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.Okay., Brazil, and Mexico, and have been locked out of their very own accounts.
As for who’s behind the operation, the smoking gun proof has come from the PDFs generated as a part of the third cluster utilizing the free Canva account, with metadata itemizing a Vietnamese title “PHẠM TÀI TÂN” because the information’ writer. Additional open-source intelligence has led to the invention of a web site (“phamtaitan[.]vn”), the place they provide digital advertising providers.
In a submit shared on X in February 2023, the web site’s deal with mentioned it “makes a speciality of offering digital advertising providers, advertising assets, and consulting on efficient digital advertising methods.”
“Taken collectively, they type a constant image of a giant, Vietnamese-based, mega operation,” Chen mentioned. “This marketing campaign is greater than a single AppSheet abuse. It is a window into the darkish market round stolen Fb property, the place entry, enterprise identification, advert repute, and even account restoration have all turn into tradable commodities. One other entry within the sample we preserve surfacing: trusted platforms repurposed as supply, internet hosting, and monetization layers.”
