AccountDumpling Campaign Exploits Google AppSheet Infrastructure
Security researchers at Guardio discovered a sophisticated Vietnamese-linked phishing operation on May 1, 2026, that weaponized Google's AppSheet platform to orchestrate large-scale Facebook credential theft. The campaign, dubbed AccountDumpling, represents a novel abuse of legitimate cloud services to bypass traditional email security filters and establish persistent phishing infrastructure.
The attackers leveraged Google AppSheet's legitimate domain reputation and built-in email capabilities to create what researchers describe as a "phishing relay" system. This approach allowed the threat actors to send convincing phishing emails that appeared to originate from Google's trusted infrastructure, significantly increasing their success rate against unsuspecting Facebook users. The campaign's sophistication extends beyond simple credential harvesting, incorporating automated account validation and immediate monetization through underground marketplaces.
Guardio's investigation revealed that the operation had been running for several weeks before detection, with the attackers continuously refining their techniques to evade security measures. The use of AppSheet represents a concerning evolution in phishing tactics, as it exploits the inherent trust users place in Google's ecosystem. The campaign targeted Facebook users across multiple regions, with particular focus on accounts with business pages and advertising capabilities, which command higher prices in underground markets.
The threat actors demonstrated advanced operational security by compartmentalizing their infrastructure across multiple platforms. Beyond Google AppSheet, the operation incorporated Netlify for hosting malicious landing pages and Telegram for command and control communications. This multi-platform approach made detection and takedown efforts significantly more challenging for security teams and platform providers.
Facebook Users and Business Account Holders Targeted
The AccountDumpling operation specifically targeted Facebook users with valuable account profiles, including business page administrators, advertising account holders, and users with established social networks. Security researchers estimate that approximately 30,000 Facebook accounts were compromised during the campaign's active period. The attackers prioritized accounts with monetization potential, particularly those linked to Facebook Business Manager or with active advertising campaigns running.
Victims spanned multiple geographic regions, though the campaign showed particular concentration in English-speaking markets and regions with high Facebook business adoption rates. The phishing emails were crafted to appear as legitimate Facebook security notifications, warning users about suspicious login attempts or policy violations that required immediate account verification. Users who fell victim to these emails were directed to convincing replica Facebook login pages hosted on compromised infrastructure.
Small business owners and social media managers represented a significant portion of the affected user base, as these accounts often have elevated privileges and access to advertising budgets. The attackers specifically sought accounts with payment methods attached, active advertising campaigns, or large follower bases that could be leveraged for further malicious activities. The compromised accounts were then sorted and priced based on their perceived value in underground marketplaces.
Multi-Stage Phishing Infrastructure and Monetization
The AccountDumpling operation employed a sophisticated multi-stage attack chain that began with Google AppSheet serving as the initial phishing relay. The attackers created legitimate-appearing AppSheet applications that automatically generated and sent phishing emails to targeted Facebook users. These emails contained links that redirected victims through multiple intermediate domains before landing on convincing Facebook login replicas hosted on Netlify's content delivery network.
Once victims entered their credentials on the fake login pages, the stolen information was immediately validated against Facebook's servers to confirm account access. Successfully compromised accounts were then catalogued in an automated system that assessed their value based on factors including follower count, business page ownership, advertising spend history, and linked payment methods. This automated triage system allowed the attackers to quickly identify and prioritize high-value accounts for immediate sale.
The monetization component of the operation involved an illicit storefront where compromised Facebook accounts were sold to other cybercriminals. Prices ranged from $10 for basic personal accounts to several hundred dollars for business accounts with active advertising capabilities. The storefront operated through encrypted messaging platforms and accepted payments in cryptocurrency to maintain operational anonymity. Security researchers documented the full attack infrastructure spanning multiple legitimate platforms abused for malicious purposes.
To protect against similar attacks, Facebook users should enable two-factor authentication on their accounts and carefully verify the authenticity of security-related emails. Organizations should implement email security solutions capable of detecting abuse of legitimate cloud services and educate employees about sophisticated phishing techniques that leverage trusted platforms. The discovery of this campaign highlights the evolving threat landscape where attackers increasingly abuse legitimate cloud infrastructure to bypass traditional security controls.
