-
Some hackers took advantage of Google AppSheet to send out phishing emails that helped them to bypass spam filters and steal about 30,000 Facebook login details.
-
The operation, referred to as “AccountDumpling,” which had ties to Vietnam, sold off hacked business accounts via an illegal online shop and various Telegram channels.
-
To get their hands on stuff like passwords, two factor authentication codes, and even government IDs, these attackers set up fake Meta panic alerts, along with phony CAPTCHA pages and PDFs they created using Canva.
A new phishing campaign just proved that even trusted platforms aren’t safe anymore. Guardio, a security firm, uncovered a massive operation targeting Facebook Business account owners. The hackers used Google’s own AppSheet service as a “phishing relay.”
This smart trick let them send fake emails from a real Google address: [email protected]. Most spam filters simply let those emails through because they came from Google. And it gets worse. The hackers didn’t just steal accounts, they built a whole criminal business around reselling them.
How the Scam Works
The phishing emails looked urgent. They claimed to be from Meta Support. Each message warned victims to submit an appeal or lose their account forever. Some emails talked about copyright complaints. Others mentioned verification reviews or executive job offers. All of them tried to create panic among Meta users.
Security researcher Shaked Chen from Guardio explained what they found. He said the hackers didn’t use just one phishing kit. They ran a whole operation with real-time operator panels and advanced evasion tactics that they continued to sharpen. That’s not all, the operation is a criminal commercial loop that silently exploits the same accounts it helped to steal back.
The attackers built four main traps. First, they created fake Facebook help pages on Netlify. These pages stole birthdays, phone numbers, and photos of government IDs. All that data went straight to a Telegram channel controlled by the hackers.
Second, they used blue badge verification lures. Victims landed on Vercel-hosted pages that looked like Meta privacy centers. A fake CAPTCHA check made everything seem legit. Then the real phishing page asked for contact details, business info, passwords, and even 2FA codes.
Third, the hackers made PDFs hosted on Google Drive using a free Canva account. The PDFs looked like official instructions, telling people to verify things. They got folks to hand over their passwords, those two- factor authentication codes, and even photos of their ID. Also, they secretly captured users’ browser screens using html2canvas.
It didn’t end there. The criminals went ahead to send fake job offers to the victims. Those offers looked real, impersonating big names such as Meta, Adobe, Apple, Pinterest, and Coca-Cola. The emails built trust first. Then they asked victims to join calls or continue chats on sites controlled by hackers.
The Perpetrators
The Telegram channels from the first three clusters now hold about 30,000 victim records. Most victims live in the US, Canada, Italy,, the Philippines, Spain, India, Australia, UK, Brazil, and Mexico. These people lost access to their own accounts completely.
The biggest clue came from those Canva-generated PDFs. The file metadata listed PHẠM TÀI TÂN, a Vietnamese name. Open source detectives then found a website, phamtaitan[.]vn, offering digital marketing services. One particular X post claimed the site provides digital marketing services, resources for marketers, and also marketing consultancy services.
The Implication of the Facebook Account Theft
This campaign shows how creative hackers have become. They turn trusted tools like Google AppSheet, Netlify, Vercel, and Canva into weapons. The stolen Facebook accounts become tradable goods. Access, business identity, ad reputation, and account recovery methods all sell on hidden markets.
Chen noted that the campaign is more than just an AppSheet abuse. It shows how big the dark market for stolen Facebook data is. Vietnamese threat actors keep evolving their tactics. And as long as stolen accounts make money, these attacks won’t stop.
If you own a Facebook Business account, double- check every email. Even messages from real Google addresses can be traps. Enable all security features. And never click links promising to save your account from deletion. That panic feeling is exactly what the hackers count on.
The same vigilance applies to your financial data. As Nigeria Opens Probe into alleged data breach at Remita and Sterling Bank shows, breaches are happening across industries, from social media to banking. Protecting your personal information online isn’t just about avoiding phishing emails; it’s about holding companies accountable when they fail to safeguard what you’ve entrusted to them.
