A massive phishing operation has compromised the security of more than 30,000 Facebook accounts around the world.
The campaign abused legitimate Google infrastructure to violate privacy.
The campaign, dubbed “AccountDumpling” by Guardio Labs, is associated with Vietnamese threat actors who have turned Google’s no-code AppSheet platform into a “phishing relay” to send fully authenticated malicious emails.
A Vietnamese individual named Pham Tai Tan is discovered to be connected to the operation after metadata in a PDF generated by Canva revealed his identity.
How the attack works
Unlike traditional phishing that has spoofed domains, these emails are sent from the legitimate address.”[email protected].” Since it’s a Google-owned domain, the email seemed completely legitimate.
As email passes SPF, DKIM, and DMARC authentication checks, it bypasses common email security gateways and spam filters.
If the victim opens the malicious email, they will be redirected to fake Facebook Help Center pages hosted on Netlify or Vercel.
These web pages collect login credentials, 2FA codes, dates of birth, images of government IDs, and even browser screenshots.
Fake “free blue badge” offer
Among other things, the hackers have included an offer for a “free blue Facebook badge” without requiring a Meta Verified subscription. Victims must go through fake CAPTCHA tests and provide their passwords and 2FA codes.
Other offers include threats to permanently deactivate the victim’s account or respond to a copyright claim.
How to save your Facebook account?
Most of the accounts that are at risk include the United States, Italy, Canada, Philippines, India, Spain, Australia, United Kingdom, Brazil, and Mexico.
Users are advised to turn on two-factor authentication, not click on links sent by email, and never provide credentials when following an email link.
