Cybersecurity researchers at Guardio Labs have uncovered a massive phishing operation dubbed AccountDumpling that has compromised more than 30,000 Facebook accounts worldwide.
Unlike conventional phishing campaigns that rely on spoofed domains or compromised SMTP servers, this Vietnamese-linked operation abuses Google AppSheet to deliver fully authenticated malicious emails.
Because the messages originate from legitimate Google infrastructure, specifically the automated workflow notification system, they perfectly align with SPF, DKIM, and DMARC authentication protocols.
This inherent trust inversion enables emails to bypass traditional secure email gateways and spam filters, delivering deceptive Facebook policy-violation warnings directly to high-value business account owners without triggering security alerts.
Multi-Layered Phishing Clusters and Live Interaction
The threat actors developed a sophisticated, multi-cluster attack infrastructure to maximize their success rate against various targets.
The initial cluster directed victims to Netlify-hosted static pages that flawlessly cloned the Facebook Help Center.
These unique per-victim subdomains evaded standard URL blocklists while harvesting not just credentials, but complete identity packages including dates of birth and government-issued identification photos.
A secondary attack cluster shifted from fear-based lures to reward-based social engineering, offering fake blue badge verifications through Vercel-hosted environments.
These dynamic pages incorporated advanced evasion techniques, including invisible Unicode characters to bypass natural language processing detection. They intercepted multi-factor authentication codes in real time.
The operation’s technical sophistication peaked in a third cluster that used Google Drive to host malicious PDFs.
Victims who opened these files encountered a convincing Meta notification created in Canva, which contained embedded links that redirected to a Socket. IO-based phishing panel.
This architecture enabled attackers to control live WebSocket traffic, allowing human operators to manage the victim’s session actively, request specific two-factor authentication codes, and capture browser screenshots dynamically.
A fourth cluster relied on direct social engineering, impersonating corporate recruiters from major technology brands to gradually build trust and move the conversation to off-platform, attacker-controlled channels.
Telegram Exfiltration and Vietnamese Attribution
To manage the massive influx of stolen data, the operators implemented a centralized command-and-control infrastructure powered by Telegram bots.
Exfiltrated credentials and session tokens were streamed in real time to private Telegram channels monitored by administrators, allowing rapid account takeover before victims could initiate recovery procedures.
Analysis of this exfiltration pipeline revealed the extensive scope of the campaign, identifying approximately 30,000 compromised records heavily concentrated in the United States and Europe.
Guard Labs investigation yielded a significant breakthrough in attribution by analyzing the metadata of Google Drive PDFs.
The document’s author field revealed a real Vietnamese name, linking the technical infrastructure to a public-facing entity based in Vietnam.
This attribution was further corroborated by Vietnamese developer comments embedded within the malicious JavaScript and HTML source code.
The AccountDumpling campaign represents a highly industrialized access economy in which compromised social media accounts are harvested and monetized at scale.
Stolen pages are frequently repurposed to launch secondary fraudulent operations, demonstrating how attackers continuously exploit trusted enterprise platforms to sustain extensive cybercriminal ecosystems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
