AccountDumpling Phishing Campaign

A large-scale cybercriminal campaign, attributed to a Vietnam-linked threat group and dubbed AccountDumpling, has been identified leveraging Google AppSheet as a phishing relay mechanism. This operation distributes deceptive emails with the primary objective of compromising Facebook accounts, particularly those associated with business users.

Unlike conventional phishing campaigns, this is not a static toolkit but a dynamic and continuously evolving ecosystem. It incorporates real-time operator dashboards, advanced evasion techniques, and a structured monetization pipeline. Stolen accounts are funneled back into an underground marketplace controlled by the attackers, creating a self-sustaining criminal loop. Approximately 30,000 Facebook accounts have been compromised as part of this campaign.

Weaponized Trust: Exploiting Google AppSheet for Email Delivery

The attack chain begins with carefully crafted phishing emails impersonating Meta Support. These messages target Facebook Business account holders, warning them of imminent account deletion unless immediate action is taken. Victims are urged to submit appeals through embedded links.

A key factor in the campaign's effectiveness is the use of legitimate infrastructure. Emails are sent from a Google AppSheet address ('noreply@appsheet.com'), enabling them to bypass many traditional spam and security filters. This tactic enhances credibility and increases the likelihood of user engagement.

The urgency conveyed in these messages directs recipients to fraudulent websites designed to harvest sensitive credentials. Similar attack patterns were observed in earlier campaigns, indicating ongoing refinement and reuse of successful techniques.

Psychological Manipulation: Engineering’ Meta Panic’

The attackers employ a variety of social engineering lures to trigger panic and compel rapid user response. These lures are strategically designed to mimic legitimate Meta communications and exploit fear-based scenarios.

The primary lure categories include:

Account-related threats: Claims of account suspension, copyright violations, or urgent verification requirements
Security alerts: Notifications of suspicious logins or mandatory security checks
Business and status incentives: Blue badge verification offers or executive recruitment opportunities
Corporate impersonation: Fake job offers from well-known brands to build trust and initiate engagement

Each lure is tailored to manipulate user behavior, increasing the likelihood of credential disclosure.

Multi-Channel Phishing Infrastructure: Diverse Delivery Mechanisms

The campaign is characterized by its use of multiple hosting platforms and delivery methods, each serving a specific role in data collection and exfiltration. The four primary attack clusters include:

• Netlify-hosted phishing pages: Fake Facebook Help Center portals designed to capture login credentials, personal data, and government-issued identification. Collected data is transmitted to attacker-controlled Telegram channels.
• Vercel-hosted 'Security Check' pages: These pages simulate Meta privacy or security portals and include fake CAPTCHA challenges. Victims are prompted to re-enter credentials and provide two-factor authentication (2FA) codes, all of which are exfiltrated in real time.
• Google Drive-hosted PDF lures: Disguised as official verification instructions, these documents redirect users to phishing pages that collect passwords, 2FA codes, ID photos, and even browser screenshots using embedded scripts.
• Fake recruitment workflows: Impersonation of major companies to establish credibility, followed by redirection to malicious platforms for further interaction and data harvesting.

Collectively, the Telegram channels linked to these clusters contain approximately 30,000 victim records. Affected individuals are predominantly located across North America, Europe, Asia, and Australia, many of whom have lost access to their accounts.

Attribution Insights: Tracing the Actors Behind the Campaign

Critical attribution evidence emerged from metadata embedded in the phishing PDFs generated via a free Canva account. The files list 'PHẠM TÀI TÂN' as the author, providing a direct link to the individual potentially responsible for the operation.

Further open-source intelligence revealed a corresponding website, 'phamtaitan.vn,' which promotes digital marketing services. Public statements associated with this entity indicate a focus on marketing resources and strategic consulting, suggesting a dual-use skillset that may be leveraged for both legitimate and malicious purposes.

The Underground Economy: Monetizing Compromised Digital Identities

This campaign illustrates a broader trend in cybercrime: the commodification of digital identities. Compromised Facebook accounts are not merely endpoints but valuable assets within a thriving underground marketplace.

Attackers trade access to accounts based on factors such as business affiliation, advertising history, and recovery potential. The operation demonstrates how trusted platforms, Google AppSheet, Netlify, Vercel, and others, are being repurposed as infrastructure layers for delivery, hosting, and monetization.

The AccountDumpling campaign serves as a clear example of how modern threat actors integrate social engineering, cloud services, and underground economics into a cohesive and scalable cybercriminal enterprise.