A major cybersecurity threat, termed “AccountDumpling,” has resulted in the compromise of about 30,000 Facebook accounts globally. This operation, identified by Guardio Labs, has its roots linked to Vietnam and takes advantage of Google’s AppSheet platform to evade conventional email security mechanisms.
The attackers utilize legitimate channels to send fully authenticated phishing messages, leading to the unauthorized acquisition of credentials and identity documents. These stolen Facebook Business accounts are either monetized or sold back to their original owners through a black market.
Exploitation of Platform Trust
The crux of this campaign lies in exploiting platform trust rather than simply spoofing domains. The cybercriminals leverage Google AppSheet, a legitimate no-code app creation service, to send deceptive notifications that appear authentic.
Emails dispatched from Google’s servers using the [email protected] address successfully navigate through SPF, DKIM, and DMARC authentication checks. Consequently, these messages are often overlooked by security systems, placing the onus on recipients to discern the deceit within the emails.
Techniques of Attack and Evasion
The operation is marked by its modular design, employing four distinct phishing clusters that exploit various psychological triggers in their targets.
- Policy Violation: Fake warnings of permanent account suspension, hosted on Netlify, use unique subdomains and serverless functions to bypass blocklists.
- Reward Promise: Offers for Blue Badge verification or advertiser rewards, deployed via Vercel, employ Unicode obfuscation and fake reCAPTCHA scripts.
- Live Control: Urgent Meta notifications, appearing as clean single-image alerts, utilize Google Drive and Canva PDFs for real-time phishing.
- Social Engineering: False job offers from major tech firms use off-platform communication and Cyrillic homoglyphs to build trust gradually.
Behind these deceptive tactics, the operation employs Telegram bots for command-and-control activities, with stolen data being routed to private Telegram channels for monitoring and real-time account takeovers.
Tracing the Cybercriminals
Guardio Labs managed to trace the operation to a Vietnamese individual due to a significant operational security lapse. A Canva-generated PDF used in one of the phishing attacks retained metadata revealing the author’s name, “PHẠM TÀI TÂN.” This name was linked to a public persona in Vietnam known for advertising Facebook account recovery services.
This situation exemplifies a circular economy of cybercrime, where stolen business assets are employed in fraudulent activities, and recovery services are subsequently sold back to the victims. Reports indicate that 68.6 percent of the targeted entities are based in the United States.
Stay updated with the latest in cybersecurity by following us on Google News, LinkedIn, and X. Contact us if you wish to share your stories.
