Google AppSheet Used to Compromise 30,000 Facebook Accounts in Phishing Campaign
- May 2
- 3 min read
Key Findings
Vietnamese-linked operation "AccountDumpling" compromised over 30,000 Facebook accounts using Google AppSheet infrastructure
Phishing emails bypassed authentication checks by originating from legitimate Google servers (noreply@appsheet.com and appsheet.bounces.google.com)
Four distinct attack clusters employed different social engineering methods including fake help centers, incentive offers, interactive PDFs, and fake job recruitment
Stolen data funneled through Telegram bots to attacker-controlled channels for resale and monetization
68.6% of victims located in United States, with additional targets in UK, Canada, and Italy
Background
Guardio Labs security researchers discovered a coordinated phishing campaign operating throughout April 2026 that initially appeared to target isolated Facebook Business users. The investigation revealed a sophisticated, multi-layered operation leveraging legitimate Google services to deliver convincing phishing emails that passed standard authentication protocols. The campaign represented a professional supply chain operation where different groups specialized in account theft, data exfiltration, and monetization through resale or fraudulent recovery services.
AppSheet Abuse Method
The attackers exploited Google AppSheet's notification system, a no-code business automation tool, to send phishing emails from Google's own infrastructure. By routing messages through appsheet.bounces.google.com and noreply@appsheet.com addresses, the emails originated from verified Google servers. This allowed the phishing campaigns to pass SPF, DKIM, and DMARC authentication checks that typically filter malicious messages. The phishing lures centered on Meta-related themes, including fake copyright complaints and account disablement warnings. One notable email from April 2026 cited a case ID and threatened permanent account suspension within 24 hours to create urgency.
Four Attack Clusters
Cluster A involved using HTTrack software to clone the Facebook Help Centre and hosting these replicas on Netlify. Victims visiting these pages believed they were interacting with legitimate Facebook support and submitted credentials along with photographs of government-issued identification documents.
Cluster B employed social engineering incentives, particularly promises of blue badge verification or advertising rewards. These pages hosted on Vercel used advanced evasion techniques including Cyrillic homoglyphs and hair spaces—invisible Unicode characters that bypass spam filters. The attackers captured passwords and two-factor authentication codes through multi-step credential harvesting flows.
Cluster C represented the most sophisticated approach, using Google Drive-hosted PDFs created with Canva. These documents contained embedded links to interactive phishing panels powered by Socket IO and WebSockets. This infrastructure allowed attackers to interact with victims in real time, dynamically adapting attacks and requesting two-factor authentication codes during live sessions.
Cluster D deviated from traditional phishing by impersonating recruiters from major brands including Adobe, Apple, and Coca-Cola. Attackers initiated conversations that eventually redirected victims to private WhatsApp chats controlled by the operation.
Attribution and Infrastructure
Investigation traced the operation back to Vietnam through metadata embedded in campaign files. A Google Drive-hosted PDF contained the Vietnamese name Phạm Tài Tân in its metadata. Researchers linked this identity to an online persona openly advertising Facebook account recovery services, suggesting the operation included a monetization loop where stolen accounts were either resold or "recovered" for a fee. Vietnamese-language code comments and specific bot naming conventions throughout the infrastructure indicated a modular ecosystem involving multiple coordinated actors.
Stolen data flowed through Telegram bots including @haixuancau_bot and @globalglobalglobalbot_bot, operated by users known as "Big Bosss" and "@mansinblack." These channels aggregated approximately 30,000 compromised accounts for distribution within underground markets.
Geographic Impact and Recommendations
The victim distribution showed 68.6% concentrated in the United States, with significant numbers from the United Kingdom, Canada, and Italy. The global scope combined with professional operational structure indicated a well-established criminal enterprise.
Security experts recommended users avoid clicking links in urgent-sounding emails, enable two-factor authentication on all accounts, and monitor account activity for unauthorized access or suspicious recovery attempts. Organizations should treat emails claiming account issues with heightened scrutiny, particularly those requesting credential or identity verification.
Sources
https://hackread.com/google-appsheet-facebook-accountdumpling-scam/
https://cyberinsider.com/google-appsheet-abused-to-compromise-30000-facebook-accounts/
https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
https://www.threads.com/@thehackernews/post/DXznd6fj6Kk/facebook-accounts-compromised-in-a-phishing-campaign-using-google-app-sheet

Comments