A massive phishing operation has compromised the security of more than 30,000 Facebook accounts worldwide.
The campaign abused Google’s legitimate infrastructure to violate privacy.
The campaign, dubbed “AccountDumpling” by Guardio Labs, is associated with Vietnamese threat actors who turned Google’s codeless AppSheet platform into a “phishing relay” for sending fully authenticated malicious emails.
It turns out that a Vietnamese individual named Pham Tai Tan is linked to the operation after metadata from a Canva-generated PDF revealed his identity.
How the attack works
Unlike traditional phishing which uses spoofed domains, these emails are sent from the legitimate address”[email protected].” Since it’s a domain owned by Google, the email seemed completely legitimate.
When the email passes SPF, DKIM, and DMARC authentication checks, it bypasses regular email security gateways and spam filters.
If the victim opens the malicious email, they will be redirected to fake Facebook help center pages hosted on Netlify or Vercel.
These web pages collect login credentials, 2FA codes, dates of birth, images of government IDs, and even browser screenshots.
Fake “free blue badge” offer
Among other things, the hackers included an offer for a “free Facebook blue badge” without the need for a Meta Verified subscription. Victims are tricked into taking fake CAPTCHA tests and providing their passwords and 2FA codes.
Other offers include threats to permanently disable the victim’s account or respond to a copyright infringement claim.
How to save your Facebook account?
Most at-risk accounts include the United States, Italy, Canada, Philippines, India, Spain, Australia, United Kingdom, Brazil, and Mexico.
Users are recommended to enable two-factor authentication, not click on links sent via email, and never provide identifying information when following a link via email.
