A massive phishing operation has compromised the security of more than 30,000 Facebook accounts worldwide.
The campaign abused the legitimate Google infrastructure to violate privacy.
The campaign, called “AccountDumpling” by Guardio Labs, is linked to Vietnamese threat actors who have turned Google’s code-free AppSheet platform into a “phishing relay” to send fully authenticated malicious emails.
It turns out that a Vietnamese person named Pham Tai Tan is related to the operation after metadata in a Canva-generated PDF revealed his identity.
How the attack works
Unlike traditional phishing that has spoofed domains, these emails are sent from the legitimate address “[email protected].” Since it is a Google-owned domain, the email seemed perfectly legitimate.
When the email passes SPF, DKIM and DMARC authentication checks, it bypasses the usual email security gateways and spam filters.
If the victim opens the malicious email, he/she will be redirected to fake Facebook Help Center pages hosted on Netlify or Vercel.
These web pages collect login information, 2FA codes, dates of birth, images of public IDs and even browser screenshots.
Fake “free blue badge” offer
Among other things, the hackers have included an offer for a “free Facebook blue badge” without the need for a Meta Verified subscription. Victims are directed to undergo fake CAPTCHA tests and provide their passwords and 2FA codes.
Other offers include threats to permanently disable the victim’s account or respond to a copyright claim.
How do you save your Facebook account?
Most of the accounts at risk include the United States, Italy, Canada, the Philippines, India, Spain, Australia, the United Kingdom, Brazil, and Mexico.
Users are advised to turn on two-factor authentication, not click on links sent via email, and never provide credentials when following an email link.
