A sophisticated phishing operation, codenamed AccountDumpling, is leveraging Google’s AppSheet to distribute malicious emails aimed at compromising Facebook accounts. Security researchers have identified this Vietnamese-linked campaign as a significant threat, with an estimated 30,000 Facebook accounts already compromised and their credentials being sold on underground markets. This elaborate scheme highlights the evolving tactics used by threat actors to exploit legitimate platforms for illicit gain.
The AccountDumpling operation, detailed by security firm Guardio, is not merely a static phishing kit but a dynamic, evolving operation. It features real-time operator panels, advanced evasion techniques, and a clear criminal-commercial loop that facilitates the theft and subsequent resale of compromised Facebook accounts. This discovery underscores a persistent trend of Vietnamese threat actors targeting Facebook accounts for profit.
AccountDumpling Exploits Google AppSheet for Facebook Account Compromise
The initial vector for AccountDumpling attacks involves phishing emails sent to owners of Facebook Business accounts. These emails, ostensibly from Meta Support, create a sense of urgency by threatening permanent account deletion unless users submit an appeal. Crucially, these messages are dispatched from legitimate Google AppSheet addresses, enabling them to bypass standard spam filters and reach intended victims.
Upon clicking the link within these deceptive emails, users are directed to a convincing replica of a Facebook login page, designed to harvest their credentials. This tactic mirrors a similar campaign previously flagged by KnowBe4 in May 2025, indicating a continuous adaptation of phishing strategies.
Diverse Lures Fueling the Phishing Campaign
Over recent weeks, the AccountDumpling operation has employed a variety of lures to generate panic among Meta users. These deceptive tactics are crafted to mimic legitimate communications, including fake alerts about account disablement, copyright infringements, verification reviews, executive recruitment opportunities, and Facebook login notifications. Guardio has identified four primary clusters within this campaign, each employing distinct methods to achieve account compromise.
One significant cluster focuses on Netlify-hosted pages that impersonate Facebook help centers. These sites are designed to facilitate not only account takeover but also the collection of sensitive personal data, including dates of birth, phone numbers, and government-issued ID photos. This stolen information is then exfiltrated to attacker-controlled Telegram channels.
Another cluster utilizes lures related to blue badge evaluations. Victims are redirected to pages hosted on Vercel, posing as “Security Check” or “Meta | Privacy Center” portals. These pages often feature a bogus CAPTCHA verification before leading users to the actual phishing landing page. Here, threat actors collect contact details, business information, credentials (often after a forced retry), and two-factor authentication (2FA) codes, all of which are sent to a Telegram channel.
A third approach involves Google Drive-hosted PDF documents masquerading as instructions for account verification. These PDFs, generated using free Canva accounts, employ the html2canvas tool to capture passwords, 2FA codes, government ID photos, and browser screenshots. The metadata within these PDFs has provided a critical clue, listing a Vietnamese name, “PHẠM TÀI TÂN,” as the author.
Furthermore, the campaign includes fake job offers impersonating well-known companies such as WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola. These offers are designed to build rapport with recipients, encouraging them to move the conversation to attacker-controlled websites for further discussion.
Scale of the Operation and Attacker Identification
Collectively, the Telegram channels associated with the first three clusters of AccountDumpling have been found to contain approximately 30,000 victim records. The majority of these compromised accounts belong to individuals in the United States, Italy, Canada, the Philippines, India, Spain, Australia, the United Kingdom, Brazil, and Mexico. This indicates a widespread impact, with many users locked out of their own accounts.
Evidence pointing to the perpetrators behind this operation is substantial. The use of a free Canva account to generate misleading PDFs in the third cluster, with its author metadata, directly implicates an individual with a Vietnamese name. Further open-source intelligence has uncovered a website, “phamtaitan[.]vn,” which advertises digital marketing services. A post from the website’s handle in February 2023 stated their specialization in “providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies.”
Researchers believe these elements collectively paint a clear picture of a large, Vietnamese-based operation. The AccountDumpling campaign serves as a stark illustration of the dark market surrounding stolen Facebook assets, where access, business identity, advertising reputation, and even account recovery mechanisms have become tradable commodities. This incident reinforces a recurring pattern of trusted platforms being repurposed for malicious delivery, hosting, and monetization purposes.
Looking ahead, the continued evolution of such operations will likely see further exploitation of cloud-based services and sophisticated social engineering tactics. The ongoing efforts by security researchers and cybersecurity firms to track and disrupt these campaigns will be critical in mitigating the financial and personal impact on victims of these phishing attacks. Vigilance from users and enhanced security measures from platforms remain essential defenses against the persistent threat of Facebook account compromise.