A sophisticated Vietnamese-linked phishing operation dubbed “AccountDumpling” has compromised approximately 30,000 Facebook accounts by abusing legitimate cloud platforms — including Google’s AppSheet, Netlify, Vercel, and Telegram — to bypass email security filters and steal credentials at industrial scale. Discovered by researchers at Guardio Labs, the campaign represents a new benchmark for how attackers exploit trusted infrastructure to make phishing lures virtually indistinguishable from genuine communications.
The Core Trick: Weaponising Google’s AppSheet
The foundation of AccountDumpling is the abuse of Google AppSheet, a legitimate no-code application development platform. Threat actors use AppSheet to send phishing notification emails that appear to originate from Google’s own servers via the address noreply@appsheet.com. Because Google genuinely owns and operates the sending infrastructure, these messages pass all standard email authentication checks — SPF, DKIM, and DMARC — without triggering any security warnings.
This forces victims to rely entirely on their own judgement about the content of the email itself, rather than any automated security control. For many users, receiving an official-looking notification apparently from Google is reason enough to engage.
Four Phishing Clusters, One Goal
The operation is highly modular, employing four distinct phishing clusters, each targeting victims through different psychological triggers:
- Policy Violation: Fake Facebook Help Center notices threatening permanent account disablement, hosted on Netlify with unique subdomains and serverless functions for credential exfiltration. Sites are cloned using HTTrack to appear nearly identical to genuine Facebook pages.
- Reward Promise: Invitations for Blue Badge verification or exclusive advertiser rewards, hosted on Vercel with Unicode obfuscation in email preheaders, fake reCAPTCHA barriers, and live credential validation scripts that confirm stolen passwords are valid in real time.
- Live Control: Urgent Meta security notices delivered as clean, single-image notifications, using WebSocket-based live phishing panels that enable real-time, human-in-the-loop interaction so operators can manually complete account takeovers.
- Social Engineering: Fake senior job offers from prominent tech companies including Meta and Apple, delivered through off-platform communication channels with Cyrillic homoglyphs in sender display names to defeat simple text matching.
Telegram as Command-and-Control
Despite the sophistication of its front-end lures, AccountDumpling uses a straightforward exfiltration backend: Telegram bots. Stolen credentials, two-factor authentication codes, dates of birth, and government-issued ID photographs are instantly routed to private Telegram channels where operators monitor the incoming stream in real time. This allows threat actors to validate stolen data and execute account takeovers immediately — before victims are even aware their credentials have been compromised.
Telemetry from the recovered bot infrastructure confirms approximately 30,000 victim records have been processed through this pipeline, representing a geographically diverse pool of compromised Facebook Business accounts.
Monetisation: Selling Access Back to Victims
The stolen Facebook Business accounts are monetised through an illicit storefront that, in a particularly cynical twist, also resells compromised accounts back to their original owners. This “recovery” service charges victims to regain access to accounts that were stolen in the first place — a model that has become increasingly common in the Vietnamese-speaking cybercriminal ecosystem, which has a long history of Facebook-focused fraud and account trading operations.
Why Conventional Defences Fall Short
AccountDumpling is a textbook example of a living-off-trusted-infrastructure attack. By routing phishing content through platforms that organisations and security tools implicitly trust — Google, Netlify, Vercel — the campaign renders domain-reputation and sender-authentication controls largely ineffective. Traditional secure email gateways have no reliable signal to act on when the sending infrastructure is entirely legitimate.
Defenders must adopt a content-centric approach rather than relying solely on sender reputation. Key mitigations include:
- Training employees to be sceptical of urgent account-suspension or verification requests, even when they appear to come from Google or Meta
- Enrolling Facebook Business accounts in Meta’s advanced security programmes, including hardware security key authentication
- Monitoring for unexpected social media account activity through business management dashboards
- Deploying browser-based phishing protection that analyses page content rather than just domain reputation
The AccountDumpling campaign is a stark demonstration that the era of easily detectable phishing emails is giving way to a new generation of attacks that are technically indistinguishable from genuine communications — making user awareness and layered, content-aware defences more important than ever.