Cybersecurity researchers at Guardio Labs have reported a large Facebook phishing campaign that used trusted web services to steal account access. The operation, named AccountDumpling, allegedly compromised more than 30,000 Facebook accounts across several countries.
The campaign targeted Facebook Business account owners with fake Meta policy warnings, account review notices, verification offers, and recruiter messages. Researchers linked parts of the activity to Vietnam after reviewing file metadata, source code comments, and open web records.
Guardio Labs said the attackers used Google AppSheet as a phishing relay to send emails from a legitimate Google-linked address. The messages came from “noreply@appsheet.com,” which helped them pass email checks such as SPF, DKIM, and DMARC.
Because the emails came through trusted Google systems, many filters did not flag them as suspicious. The attackers used this trust to send fake Facebook warnings to business users. The messages claimed that accounts faced deletion, copyright action, or policy review unless the owner submitted an appeal.
Security researcher Shaked Chen described the activity as more than a single phishing kit. He said, “What we found wasn’t a single phishing kit,” adding that it was “a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop.”
The quote shows how researchers viewed the campaign as an active network rather than a simple email scam. However, Guardio’s findings remain based on its own investigation and the records it reviewed.
The first attack cluster directed victims to Netlify-hosted pages that copied the Facebook Help Center. These pages used unique subdomains for each target, which helped them avoid normal URL blocklists.
These pages collected Facebook login details. Besides that, they asked victims for dates of birth, phone numbers, and government-issued ID photos. The stolen data then moved to attacker-controlled Telegram channels.
A second cluster used fake blue badge verification offers. These pages ran on Vercel and displayed names such as “Security Check” or “Meta | Privacy Center.” Victims first faced a fake CAPTCHA screen before they reached the phishing page.
The pages collected contact details, business data, passwords, and two-factor authentication codes. According to Guardio, some pages forced users to retry their login, which helped attackers capture more accurate credentials.
A third cluster used Google Drive to host PDFs that looked like Meta verification instructions. The documents were made through a free Canva account and included links to phishing pages.
After victims opened the links, attackers could collect passwords, two-factor codes, ID photos, and browser screenshots. The phishing pages also used a Socket.IO-based panel, which allowed operators to interact with victims in real time.
This setup let attackers guide each session while the victim was still online. They could request specific codes and watch parts of the process through captured screenshots.
Guardio also found a fourth cluster that used direct social engineering. In this case, attackers posed as recruiters from brands such as Meta, WhatsApp, Adobe, Pinterest, Apple, and Coca-Cola. They built trust through messages before moving victims to attacker-controlled channels.
Guardio said the attackers used Telegram bots and private channels to collect stolen credentials and session tokens. This system allowed operators to receive data quickly and attempt account takeovers before victims recovered access.
Researchers found around 30,000 victim records linked to the first three clusters. Many victims were located in the United States, Italy, Canada, the Philippines, India, Spain, Australia, the United Kingdom, Brazil, and Mexico.
The campaign mainly targeted Facebook accounts with business value. Stolen accounts and pages can support ad fraud, scam campaigns, and resale activity in underground markets.
Guardio also reported attribution clues linked to Vietnam. Metadata from Canva-generated PDFs listed the author name “PHẠM TÀI TÂN.” Further open-source checks led researchers to a website linked to digital marketing services.
Chen said the findings form “a consistent picture of a large, Vietnamese-based, mega operation.” Still, the public evidence does not amount to a formal law enforcement finding.
The AccountDumpling case shows how phishing groups can misuse trusted platforms such as Google AppSheet, Netlify, Vercel, Google Drive, Canva, and Telegram. It also shows why Facebook Business users remain frequent targets for account theft and resale.
Also Read: Top Telegram Trading Bot Tokens Every Crypto Investor Should Know