A large scale cybercriminal operation identified as AccountDumpling has compromised nearly 30000 Facebook accounts worldwide, highlighting a sophisticated shift in phishing tactics that exploit trusted platforms rather than relying on traditional spoofing methods. The campaign, discovered by Guardio Labs, has been linked to threat actors believed to be operating from Vietnam. By leveraging legitimate services such as Google AppSheet, Netlify, and Telegram, attackers have been able to bypass conventional email security controls and deliver convincing phishing lures to unsuspecting users.
The operation relies heavily on abusing platform trust, particularly through Google AppSheet, a no code application development service that enables automated communications. Phishing emails sent through this channel originate from legitimate Google infrastructure, specifically noreply@appsheet.com, allowing them to pass authentication checks such as SPF, DKIM, and DMARC. As a result, security systems treat these messages as legitimate, making detection significantly more difficult. Victims are therefore forced to rely on identifying subtle signs of deception within the content itself. Once users engage with these emails, they are redirected to phishing pages hosted on platforms like Netlify and Vercel, where attackers deploy cloned interfaces and scripts to capture login credentials and sensitive information.
The campaign is structured into multiple phishing clusters, each designed to exploit different psychological triggers. Some messages mimic policy violation notices, warning users of potential account suspension and directing them to fake Facebook help center pages. Others promise rewards such as verification badges or advertising incentives, while another approach uses simplified image based notifications designed to prompt immediate action. In certain cases, attackers initiate longer term social engineering tactics by posing as recruiters from major technology companies like Meta and Apple, gradually building trust before extracting sensitive information. Technical features within these attacks include Unicode obfuscation, fake CAPTCHA barriers, real time credential validation, and WebSocket enabled phishing panels that allow human operators to interact directly with victims during the attack process.
At the core of the operation is a command and control system built on Telegram, where stolen data including login credentials, two factor authentication codes, dates of birth, and identity documents are transmitted instantly to private channels. Operators actively monitor this data flow to validate information and take over accounts in real time. Analysis of the infrastructure indicates that a significant portion of victims, approximately 68.6 percent, are based in the United States. Investigators were able to trace the campaign to a Vietnamese individual after a lapse in operational security revealed identifying metadata within a PDF generated using Canva. The name PHẠM TÀI TÂN was linked to a public persona offering Facebook account recovery and security services, suggesting a closed loop ecosystem where stolen accounts are monetized and later resold or used to offer recovery services back to affected users.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
