In a sophisticated cyber operation linked to Vietnamese threat actors, over 30,000 Facebook accounts were compromised through a clever phishing campaign that exploited Google AppSheet as a relay. Dubbed AccountDumpling by researchers at Guardio, the scheme used deceptive emails to trick users into handing over their credentials, which were then sold on an illicit marketplace. Below, we answer key questions about this attack and what it means for your online security.
1. What is the AccountDumpling campaign and how does it work?
The AccountDumpling campaign is a phishing operation that targets Facebook users through carefully crafted emails. Victims receive messages that appear to be from Facebook or a trusted service, urging them to take action—like verifying an account or resetting a password. The twist? The phishing link leads to a page hosted on Google AppSheet, a legitimate platform for building business applications. The attackers used AppSheet as a phishing relay, meaning the malicious form was served from an AppSheet app, making it look authentic and bypassing security filters. Once users entered their login details, the data was captured and funneled to the criminals. They then sold the compromised accounts through a dedicated storefront, netting thousands of stolen profiles. For tips on avoidance, see question 5.
2. How did threat actors misuse Google AppSheet as a phishing relay?
Google AppSheet is a no-code development platform often used for creating custom business apps. The attackers exploited this by deploying a fake login form within an AppSheet app. Since AppSheet apps are hosted on Google’s infrastructure with a legitimate appsheet.com domain, the phishing emails easily evaded spam filters and looked trustworthy to recipients. Instead of hosting a standalone fake page on a malicious domain, the criminals leveraged AppSheet’s trusted URLs, making detection harder for both users and security systems. The form prompted victims to enter their Facebook email and password. Once submitted, the credentials were redirected to the attackers’ servers. This abuse of a reputable service—known as reputation hijacking—is a growing trend in phishing, as it exploits user trust in brands like Google.
3. How many Facebook accounts were compromised, and what happened to them?
According to Guardio, the researchers who uncovered the campaign, roughly 30,000 Facebook accounts were stolen. The victims were primarily individuals who fell for the phishing emails. After capturing credentials, the attackers stripped the accounts of personal information, changed passwords, and locked out the original owners. These hijacked accounts were then advertised and sold on an illicit storefront operated by the same threat actors. The price varied depending on the account’s age, number of friends, and activity level. Buyers often used stolen accounts for spreading spam, running scams, or conducting further phishing attacks. The scale of this operation underscores how a well-executed phishing campaign, even when using a relatively novel technique, can lead to mass account theft.
4. Who is behind the AccountDumpling operation?
The AccountDumpling campaign has been linked by Guardio to a Vietnamese-connected threat group. While specific identities remain unknown, the operation’s infrastructure, language patterns, and payment methods point to Vietnam. The group is not only skilled in phishing but also in managing a fully functional underground marketplace for stolen accounts. They used a storefront that sold Facebook profiles like commodities, complete with category filters and pricing tiers. This level of organization suggests a professional cybercrime outfit. The discovery was made by Guardio’s research team, which monitors phishing trends and deploys honeypots to capture such attacks. Their analysis revealed the reliance on Google AppSheet, a method previously undocumented for this kind of large-scale credential harvesting.
5. How can users protect themselves from such phishing attacks?
To avoid falling victim to campaigns like AccountDumpling, follow these best practices:
- Verify the sender – Even if an email appears to be from Facebook, check the actual email address and look for typos or unusual domains.
- Inspect links before clicking – Hover over any URL; if it leads to a non-Facebook domain like
appsheet.comor a strange subdomain, do not click. - Enable two-factor authentication (2FA) – This adds an extra layer of security, so even if your password is stolen, attackers can’t log in.
- Use a password manager – Such tools often auto-fill only on legitimate sites, flagging suspicious pages.
- Report phishing – Forward suspicious emails to Facebook’s abuse team (
phish@facebook.com).
Remember, legitimate organizations never ask for login credentials via email. When in doubt, go directly to facebook.com instead of clicking email links. For more on how phishing works, see question 1.
6. What makes Google AppSheet an attractive tool for phishers?
Google AppSheet offers several features that appeal to cybercriminals. First, its trusted domain (appsheet.com) and SSL certificates automatically grant credibility—emails linking to AppSheet apps are less likely to be flagged as malicious. Second, AppSheet apps are easy to create and configure; attackers can build a convincing login form in minutes without coding skills. Third, the platform allows dynamic content, so the phishing form can be quickly updated or retargeted. Finally, because AppSheet is a legitimate business tool, security tools may whitelist its traffic, allowing the phishing links to reach inboxes. This abuse highlights a broader challenge: balancing the openness of low-code platforms with the need to prevent malicious use. Google has systems to detect abuse, but determined attackers can still slip through for a time.
7. What is the illicit storefront operated by the threat actors?
The stolen Facebook accounts were sold through a dedicated online storefront built and managed by the AccountDumpling group. This marketplace functioned like a legitimate e-commerce site, with categories for different account attributes (e.g., age, follower count, region) and a price list. The storefront accepted cryptocurrency payments, typically Bitcoin, to anonymize transactions. It even offered “bulk discounts” for purchasing multiple accounts and a “warranty” that replaced accounts if the buyer’s access was revoked within a short period. This professional setup indicates that the group treated account theft as a formal business. Guardio was able to infiltrate the storefront during their investigation, confirming that at least 30,000 accounts were listed. The existence of such marketplaces fuels secondary cybercrimes, including identity theft, fraud, and disinformation campaigns.
8. What are the broader implications of this phishing campaign for Facebook users?
The AccountDumpling campaign serves as a wake-up call about evolving phishing tactics. Using a trusted service like Google AppSheet as a relay means that traditional warning signs—such as strange URLs or poor grammar—may no longer be reliable. For Facebook, which has over 3 billion users, securing accounts requires constant vigilance and user education. The attack also underscores the importance of two-factor authentication; many of the compromised accounts likely lacked 2FA, making them easy targets. Additionally, organizations must monitor third-party platforms that can be weaponized. For users, the incident reinforces that no email or link should be taken at face value, even if it appears to come from a reputable domain. Moving forward, expect more adversaries to adopt similar techniques, exploiting the trust we place in cloud-based services.