Vietnamese Phishing Op Hijacks 30K Facebook Accounts via AppSheet

Security researchers have exposed a large-scale phishing operation that compromised approximately 30,000 Facebook Business accounts by abusing Google AppSheet as a mail relay. The Vietnamese-linked campaign, codenamed AccountDumpling, sells stolen accounts through an illicit storefront while continuing to harvest credentials across ten countries.

The AppSheet Bypass

The attackers send phishing emails from legitimate Google AppSheet addresses—specifically [email protected]—which bypass most spam filters because AppSheet is a trusted Google service. Victims receive messages impersonating Meta Support, warning that their Facebook Business accounts face permanent deletion unless they submit an appeal.

The emails direct targets to credential harvesting pages hosted on Netlify, Vercel, and Google Drive. Once victims enter their login credentials, the data flows to Telegram channels controlled by the threat actors.

This technique exploits the same trust gap that made Google Cloud Application Integration phishing so effective—attackers leverage legitimate Google infrastructure to appear credible.

Four Attack Clusters

Researchers identified four distinct phishing pipelines feeding into a centralized monetization system:

1. Netlify-hosted pages: Capture dates of birth, phone numbers, and government ID photos alongside credentials
2. Vercel-hosted portals: Deploy fake CAPTCHA checks before credential collection, including two-factor authentication codes
3. Google Drive PDFs: Generated via Canva, these documents use html2canvas to capture browser screenshots and sensitive documents
4. Employment lures: Fake job offers from WhatsApp, Meta, Adobe, and Apple to harvest personal data

The variety of lures—account disablement notices, copyright complaints, job offers—suggests a mature operation testing multiple social engineering angles simultaneously.

Attribution

PDF metadata revealed the author name "PHẠM TÀI TÂN," leading researchers to a digital marketing website (phamtaitan[.]vn) associated with this identity. The actors appear to operate under a facade of legitimate marketing services while running credential theft operations on the side.

Victim data extracted from Telegram channels shows targets concentrated in the U.S., Italy, Canada, Philippines, India, Spain, Australia, U.K., Brazil, and Mexico—a global footprint suggesting opportunistic targeting rather than a specific regional focus.

The Criminal-Commercial Loop

Stolen Facebook Business accounts are valuable commodities. Attackers use them to run fraudulent ad campaigns, distribute malware through trusted business pages, or resell access to other criminals. The AccountDumpling operation appears to handle the entire pipeline: steal accounts, then monetize them through an affiliated storefront.

For organizations managing social media presence, this represents a real threat. A compromised Facebook Business account can damage brand reputation, expose customer data through connected apps, and incur advertising charges before anyone notices.

Protecting Your Facebook Business Accounts

Standard phishing awareness guidance applies, but this campaign requires additional attention:

1. Verify Meta communications through official channels—Meta will never ask you to submit appeals via third-party links
2. Check sender addresses carefully—legitimate Meta emails come from @facebookmail.com or @fb.com, not AppSheet
3. Enable Login Alerts in Facebook Security Settings to catch unauthorized access attempts
4. Use hardware security keys for Business Manager accounts rather than SMS or app-based 2FA
5. Review connected apps regularly and remove anything you don't recognize

Security teams should also consider monitoring for emails from AppSheet addresses that reference Facebook or Meta—these are almost certainly malicious given the campaign's scale.

The Bigger Picture

AccountDumpling represents an evolution in phishing infrastructure. By routing attacks through trusted Google services, the operators neutralize email security controls that most organizations depend on. The campaign demonstrates that domain reputation alone cannot determine whether an email is safe.

For security teams tracking this threat, the indicators are the business relationships: AppSheet emails claiming to be from Meta, Netlify/Vercel hosting for credential pages, and Telegram for data exfiltration. Blocking any one of these legitimate services would cause operational problems, so detection has to focus on the combination of signals rather than individual components.