A recent cybersecurity breach has exposed a large-scale phishing operation targeting Facebook accounts, resulting in the compromise of approximately 30,000 profiles. This sophisticated attack utilized Google’s AppSheet service as a ‘phishing relay’ to effectively distribute malicious emails aimed at Facebook users.
Unveiling the ‘AccountDumpling’ Campaign
The operation, identified as ‘AccountDumpling’ by the cybersecurity firm Guardio, involved a series of meticulously crafted phishing emails. These emails tricked recipients into believing they were from Meta Support, urging them to submit an appeal to avoid account termination. The phishing emails were sent from a Google AppSheet address, which enabled them to evade spam detection systems.
Security researcher Shaked Chen highlighted the complexity of the operation, describing it as a dynamic system with real-time operational panels and advanced evasion tactics. The stolen accounts were then sold on illegal online marketplaces, contributing to a growing underground economy of stolen digital identities.
Methods of Deception and Data Harvesting
The phishing campaign employed various deceptive tactics to instill a sense of urgency among Facebook Business account holders. These included fake alerts about account disablement, copyright issues, and verification requests. The emails directed users to counterfeit web pages designed to harvest login credentials.
Guardio’s investigation identified several clusters of these phishing schemes. One method involved using Netlify-hosted pages to collect sensitive information such as dates of birth, phone numbers, and ID photos, which were then sent to a Telegram channel controlled by the attackers. Another tactic involved using Vercel-hosted ‘Security Check’ pages to gather login credentials and two-factor authentication codes.
Identifying the Culprits and Future Implications
The operation has been linked to Vietnamese threat actors, with evidence pointing to a specific individual associated with the digital marketing website ‘phamtaitan[.]vn.’ Metadata from the phishing PDFs revealed the name ‘PHẠM TÀI TÂN’ as the document’s author, suggesting a connection to the broader phishing network.
This incident underscores the evolving tactics of cybercriminals who continue to exploit trusted platforms for malicious purposes. The stolen accounts, primarily from the U.S., Italy, and several other countries, highlight the global scale of this security threat.
As cybersecurity experts continue to unravel the details of this operation, it serves as a stark reminder of the importance of vigilance and robust security measures to protect personal information online. Future efforts must focus on enhancing detection systems and raising awareness about the risks of phishing attacks.
