Cybersecurity researchers at Guardio Labs have uncovered a large phishing operation dubbed AccountDumpling that has compromised greater than 30,000 Fb accounts worldwide.
Not like typical phishing campaigns that depend on spoofed domains or compromised SMTP servers, this Vietnamese-linked operation abuses Google AppSheet to ship totally authenticated malicious emails.
As a result of the messages originate from authentic Google infrastructure, particularly the automated workflow notification system, they completely align with SPF, DKIM, and DMARC authentication protocols.
This inherent belief inversion allows emails to bypass conventional secure electronic mail gateways and spam filters, delivering misleading Fb policy-violation warnings on to high-value enterprise account house owners with out triggering safety alerts.
Multi-Layered Phishing Clusters and Reside Interplay
The menace actors developed a classy, multi-cluster assault infrastructure to maximise their success price in opposition to varied targets.
The preliminary cluster directed victims to Netlify-hosted static pages that flawlessly cloned the Fb Assist Heart.
These distinctive per-victim subdomains evaded normal URL blocklists whereas harvesting not simply credentials, however full identification packages together with dates of delivery and government-issued identification images.
A secondary assault cluster shifted from fear-based lures to reward-based social engineering, providing pretend blue badge verifications via Vercel-hosted environments.
These dynamic pages integrated superior evasion methods, together with invisible Unicode characters to bypass pure language processing detection. They intercepted multi-factor authentication codes in actual time.
The operation’s technical sophistication peaked in a 3rd cluster that used Google Drive to host malicious PDFs.
Victims who opened these information encountered a convincing Meta notification created in Canva, which contained embedded hyperlinks that redirected to a Socket. IO-based phishing panel.
This structure enabled attackers to manage reside WebSocket visitors, permitting human operators to handle the sufferer’s session actively, request particular two-factor authentication codes, and seize browser screenshots dynamically.
A fourth cluster relied on direct social engineering, impersonating company recruiters from main expertise manufacturers to progressively construct belief and transfer the dialog to off-platform, attacker-controlled channels.
Telegram Exfiltration and Vietnamese Attribution
To handle the huge inflow of stolen information, the operators carried out a centralized command-and-control infrastructure powered by Telegram bots.
Exfiltrated credentials and session tokens had been streamed in actual time to personal Telegram channels monitored by directors, permitting speedy account takeover earlier than victims might provoke restoration procedures.
Evaluation of this exfiltration pipeline revealed the in depth scope of the marketing campaign, figuring out roughly 30,000 compromised information closely concentrated in the US and Europe.
Guard Labs investigation yielded a major breakthrough in attribution by analyzing the metadata of Google Drive PDFs.
The doc’s writer area revealed an actual Vietnamese identify, linking the technical infrastructure to a public-facing entity based mostly in Vietnam.
This attribution was additional corroborated by Vietnamese developer feedback embedded throughout the malicious JavaScript and HTML supply code.
The AccountDumpling marketing campaign represents a extremely industrialized entry economic system by which compromised social media accounts are harvested and monetized at scale.
Stolen pages are regularly repurposed to launch secondary fraudulent operations, demonstrating how attackers repeatedly exploit trusted enterprise platforms to maintain in depth cybercriminal ecosystems.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most popular Supply in Google.
