# 30,000 Facebook Accounts Compromised in Sophisticated Google AppSheet Phishing Campaign


A newly discovered Vietnamese-linked cybercriminal operation has successfully compromised approximately 30,000 Facebook accounts through an ingenious phishing scheme that exploits Google AppSheet as an unwitting relay for credential-harvesting emails. Security researchers at Guardio have designated the campaign "AccountDumpling," highlighting the scale and sophistication of an attack that turns a legitimate Google service into infrastructure for mass account takeover.


The stolen credentials are subsequently monetized through an operator-controlled storefront, where compromised Facebook accounts are packaged and sold to other threat actors—underscoring the growing ecosystem of account-trading marketplaces that fuel downstream fraud, impersonation, and corporate espionage campaigns.


## The Threat: Phishing Relay via AppSheet


The attack leverages Google AppSheet, a low-code platform designed for rapid application development, as an unintended phishing delivery mechanism. Rather than hosting phishing pages directly on attacker-controlled infrastructure, threat actors have configured AppSheet instances to send deceptive emails that appear to originate from or be associated with legitimate Google services.


This approach offers several advantages to attackers:


  • Reputation hijacking: Phishing emails routed through Google infrastructure inherit trust that recipient security systems associate with legitimate Google communications
  • Domain reputation bypass: Emails originating from Google's infrastructure avoid being flagged as originating from known malicious domains
  • Detection evasion: Security teams may whitelist or lower scrutiny for emails bearing Google domain headers
  • Scale and speed: AppSheet's automation capabilities allow bulk deployment of phishing messages across victim lists

    • The phishing emails themselves direct recipients to credential harvesting pages designed to mimic Facebook's legitimate login interface. When victims enter their credentials, the harvested usernames and passwords are captured by the attacker infrastructure and subsequently validated for access.


    ## Background and Context: The Credential-Trading Ecosystem


    This campaign reflects broader trends in organized cybercrime: the industrialization of account takeover and the emergence of specialized marketplaces for trading stolen credentials.


    ### The Evolution of Phishing at Scale


    Phishing campaigns have evolved considerably from mass-email approaches of the past two decades. Modern attacks combine:


  • Reconnaissance: Targeting specific user segments or high-value accounts
  • Infrastructure obfuscation: Using legitimate cloud services to obscure attacker infrastructure
  • Automation: Deploying bulk phishing and account validation through APIs and scripting
  • Monetization networks: Immediate conversion of stolen credentials into cash through established buyer networks

    • The AccountDumpling campaign exemplifies this maturity. Rather than launching a campaign and hoping victims respond, threat actors have built an integrated ecosystem: phishing delivery → credential harvesting → account validation → marketplace listing → monetization.


    ### Vietnamese Threat Actor Profile


    The operation's attribution to Vietnam-linked actors aligns with known threat intelligence regarding organized cybercriminal activity originating from Southeast Asia. Vietnamese threat groups have historically specialized in:


  • Account takeover and reselling: Purchasing and selling compromised social media accounts
  • Infrastructure abuse: Leveraging legitimate cloud services for malicious purposes
  • Operational security: Using distributed infrastructure and anonymization techniques to evade law enforcement

    • This is not the first time such groups have been observed exploiting cloud services for phishing; similar tactics have been documented in campaigns targeting banking credentials and enterprise accounts.


    ## Technical Details: How the Attack Works


    The AccountDumpling campaign operates through a multi-stage attack chain:


    ### Stage 1: Email Delivery via AppSheet

    Attackers configure Google AppSheet to send phishing emails that appear to originate from trusted sources. These emails typically use social engineering tactics—urgency, account verification requests, or suspicious activity alerts—to prompt recipients to click.


    ### Stage 2: Credential Harvesting

    Victims clicking links are directed to convincingly designed phishing pages that mimic Facebook's login interface. The pages harvest:

  • Email addresses or phone numbers
  • Passwords
  • Two-factor authentication (2FA) bypass tokens (if obtained through additional social engineering)

    • ### Stage 3: Account Validation

    Stolen credentials are automatically tested against Facebook's authentication servers to verify validity. Invalid credentials are discarded; valid ones are added to inventory.


    ### Stage 4: Marketplace Listing

    Validated credentials are packaged and listed on the threat actors' storefront, often with metadata such as account age, follower count, or historical activity patterns that increase their value to buyers.


    ### Stage 5: Secondary Monetization

    Buyers—ranging from other cybercriminals to nation-state actors conducting reconnaissance—purchase accounts for downstream use in:

  • Impersonation and fraud: Impersonating legitimate accounts for scams or disinformation
  • Corporate espionage: Compromising employee or executive accounts for intelligence gathering
  • Credential stuffing: Using validated passwords against other platforms where users have reused credentials
  • Payment fraud: Accessing linked payment methods or financial accounts

    • ## Implications: Organizational and Individual Risk


    ### For Individuals

  • Account takeover: Compromised Facebook accounts can be weaponized for social engineering, phishing of contacts, or identity fraud
  • Secondary attacks: Reused passwords enable lateral attacks on email, banking, and corporate accounts
  • Data exposure: Account history, contact lists, and personal information become accessible to threat actors

    • ### For Organizations

  • Employee credential risk: Organizations with social media monitoring or brand management workflows may unknowingly purchase compromised accounts, inadvertently funding cybercriminals
  • Supply chain exposure: Third-party agencies managing social media presence may fall victim to similar phishing campaigns
  • Reputational damage: Compromised employee accounts can be used to distribute malware or false information from trusted internal personas

    • ### For Platforms and Infrastructure Providers

    Google's discovery and remediation of AppSheet abuse highlights the constant challenge platform providers face in preventing weaponization of their services. Attackers continuously probe for new misuse vectors as existing defenses improve.


    ## Recommendations


    ### For Users

    1. Enable Multi-Factor Authentication (MFA) on all accounts, especially email and social media—MFA significantly reduces the risk of account takeover even if passwords are compromised

    2. Verify email senders: Check sender addresses carefully; phishing emails may use subtly spoofed addresses or legitimate infrastructure with misleading content

    3. Avoid clicking unsolicited links: Navigate directly to known legitimate URLs rather than clicking links in emails

    4. Use password managers: Unique, strong passwords for each account prevent credential reuse attacks

    5. Monitor account activity: Regularly review login history and connected applications to detect unauthorized access


    ### For Organizations

    1. Security awareness training: Educate employees on phishing tactics, particularly campaigns leveraging legitimate infrastructure

    2. Email filtering and authentication: Implement DMARC, SPF, and DKIM to reduce email spoofing; use advanced threat detection to identify phishing emails

    3. Credential access monitoring: Implement systems to detect and alert on unusual login patterns or geographic anomalies

    4. Vendor assessment: If using third-party services for social media management, verify their security practices

    5. Incident response planning: Develop playbooks for account compromise including password reset procedures and contact list notifications


    ### For Platform Providers

    1. Abuse monitoring: Continuously monitor cloud services for misuse patterns indicative of phishing or credential harvesting

    2. Rapid remediation: Quickly disable malicious configurations once detected

    3. User notification: Proactively alert users potentially affected by compromised credentials

    4. Law enforcement collaboration: Share threat intelligence with cybercrime task forces to disrupt criminal infrastructure


    ## Conclusion


    The AccountDumpling campaign demonstrates that cybercriminals continue to innovate in their exploitation of legitimate infrastructure for malicious purposes. The compromise of 30,000 Facebook accounts, combined with the operational sophistication evident in automated credential validation and marketplace resale, signals a mature threat ecosystem optimized for scale and profitability.


    Organizations and individuals must remain vigilant, implementing layered security controls that assume credential compromise is inevitable and that unauthorized access attempts will continue to target even well-known platforms. The convergence of cloud service exploitation and organized credential trafficking represents a significant and evolving threat landscape.