Overview of a Sophisticated Campaign
Cybersecurity researchers have uncovered a large-scale phishing operation that has compromised tens of thousands of Facebook accounts. The campaign, tracked under the name AccountDumpling by security firm Guardio, leverages a legitimate Google service—AppSheet—as a relay to distribute deceptive emails. Once victims fall for the trick, their credentials are harvested and sold on a dedicated black-market storefront run by the attackers.
According to Guardio's findings, the operation is linked to threat actors based in Vietnam. The attackers have managed to steal approximately 30,000 Facebook accounts so far, with the stolen profiles being offered for sale to other cybercriminals. The scheme highlights how even trusted platforms can be weaponized against users.
How the Attack Works
Abusing Google AppSheet as a Phishing Relay
The core of the attack is an ingenious abuse of Google AppSheet, a low-code platform that allows users to create mobile and web apps. Normally, AppSheet is used for legitimate business automation—for example, collecting form data or managing inventories. However, in this campaign, the attackers set up malicious AppSheet applications that act as intermediaries. They send phishing emails that appear to come from Facebook or related services, with links pointing to these AppSheet apps. Because the links use Google's domain, they bypass many email security filters that would otherwise flag suspicious URLs.
When a recipient clicks the link, they are taken to a phishing page hosted within the AppSheet app. The page mimics a standard Facebook login screen. Unsuspecting users enter their credentials, which are then captured and sent to the attackers. The entire process is automated: the AppSheet app is configured to forward the stolen data to a server controlled by the threat actors. This technique is what Guardio calls a "phishing relay."
Targeting Facebook Accounts Specifically
The campaign focuses exclusively on Facebook accounts, likely due to the platform's huge user base and the value of compromised profiles. Attackers can use the accounts for spreading spam, launching further phishing attempts, or even conducting identity theft. The stolen credentials include email addresses, passwords, and sometimes additional security information if the victim provides it on the fake login page.
The Illicit Storefront: AccountDumpling
Selling Stolen Accounts
Once the credentials are harvested, the attackers aggregate them and sell access through a clandestine online storefront, also called AccountDumpling. This marketplace offers bulk packages of hacked Facebook accounts, with prices varying based on the account's age, number of friends, and activity level. Buyers can purchase accounts for as little as a few dollars each. The storefront is designed to be easily discoverable on the dark web and even on some public forums, using encrypted communication channels.
Scale of the Operation
Guardio estimates that over 30,000 Facebook accounts have been compromised through this scheme so far. While that number might seem modest compared to some massive data breaches, it represents a targeted and ongoing threat. The attackers constantly update their phishing templates and distribution methods to evade detection. The use of a legitimate service like Google AppSheet makes the malicious emails harder to block, as email security solutions see the links as safe.
Why Google AppSheet Is a Perfect Vehicle for Phishing
Trusted Domain and Ease of Setup
Google AppSheet apps are hosted under appsheet.com or similar Google subdomains. This means the phishing links appear to originate from a well-known, trusted company. Even security-aware users might hesitate to distrust a Google URL. Additionally, setting up an AppSheet app is free and requires no technical expertise—attackers can quickly create and modify phishing pages. The platform also offers automation features that allow the attackers to process credentials in real time, forwarding them to a remote server without manual intervention.
Evasion of Security Filters
Many email protection services use reputation-based filtering. Since Google domains are almost never associated with phishing, the emails sail through. Only advanced behavioral analysis could detect that the AppSheet app is being used maliciously. However, such analysis is not yet widely deployed in consumer-grade email services. This lag in detection gives attackers a window of opportunity.
Protecting Your Facebook Account from Phishing
Be Skeptical of Unexpected Emails
Even if an email appears to come from Facebook or Google, verify it. Look for signs of phishing: generic greetings, urgent language (e.g., "Your account will be suspended"), or requests to click a link and enter your password. Instead of clicking the link, navigate directly to Facebook by typing the URL in your browser or using the official app.
Enable Two-Factor Authentication (2FA)
Adding an extra layer of security can protect your account even if your password is stolen. Use an authentication app or hardware token rather than SMS-based 2FA, which can be intercepted. Facebook offers 2FA under Security settings. This simple step could have saved many of the 30,000 victims in this campaign.
Monitor Account Activity
Regularly check your Facebook account's login history and active sessions. If you see unfamiliar locations or devices, log them out and change your password immediately. Facebook provides this feature in the Security and Login section. Be proactive.
Report Suspicious Emails
If you receive a phishing email, forward it to phish@fb.com (for Facebook-related phishing) or report it to Google. Doing so helps security teams take down malicious apps and warn other users. The faster the AppSheet app is identified, the fewer accounts will be compromised.
Conclusion
The AccountDumpling campaign demonstrates how cybercriminals continually innovate to bypass defenses. By abusing a legitimate service like Google AppSheet, they can reach a wide audience while staying under the radar. For users, vigilance remains the best defense. For platform providers, this incident underscores the need to monitor how their tools are being used—and to quickly shut down abuses. Until then, the threat of another 30,000 accounts being stolen remains real.
Learn more about how the attack works, explore the illicit storefront, or jump to protection tips.