How Attackers Are Exploiting Google AppSheet to Compromise 30,000 Facebook Accounts

How Attackers Are Exploiting Google AppSheet to Compromise 30,000 Facebook Accounts

A sophisticated phishing operation has emerged that demonstrates a troubling trend in cybercrime: the abuse of legitimate enterprise tools to conduct large-scale credential theft. Security researchers have uncovered a coordinated campaign that has successfully compromised approximately 30,000 Facebook accounts by weaponizing Google AppSheet, a no-code application development platform.

The Operation: AccountDumpling

The campaign, dubbed AccountDumpling by Guardio Labs, represents more than a simple phishing attack. It is a fully operational cybercriminal infrastructure that combines multiple platforms and tactics to steal credentials, extract sensitive data, and resell compromised accounts through underground marketplaces.

What makes this operation particularly dangerous is its use of trusted infrastructure. The attackers leverage Google AppSheet's legitimate notification system to deliver phishing emails that bypass traditional security checks. The emails originate from authentic Google domains such as [email protected] and appsheet.bounces.google.com, allowing them to pass SPF, DKIM, and DMARC authentication protocols that most organizations rely upon for email security.

How the Attack Works

The phishing emails target Facebook Business account owners with messages impersonating Meta Support. The attackers create a false sense of urgency, claiming account violations or security issues requiring immediate action. When users click on the provided links, they are directed to fake credential harvesting pages designed to appear legitimate.

The operation employs a multi-layered approach with different attack clusters, each using distinct tactics and hosting infrastructure.

Attack Vectors

The attackers utilize several methods to compromise accounts. The first involves fake account disablement notices claiming copyright violations. Users are directed to submit appeals through links that lead to phishing pages hosted on Vercel. These pages employ advanced evasion techniques, including Unicode obfuscation and multi-step flows that capture both passwords and two-factor authentication codes.

Another variation uses Google Drive-hosted PDF documents that claim to contain account verification instructions. These PDFs, created using free Canva accounts, embed interactive links powered by WebSockets. This allows attackers to interact with victims in real time and dynamically adapt their approach based on user behavior.

A third cluster offers incentives such as blue badge verification or advertising rewards to lure victims into engagement. These pages employ sophisticated credential capture mechanisms that harvest login information across multiple interaction steps.

Finally, some attacks deviate from traditional phishing entirely. Attackers pose as recruiters from major technology and consumer brands including Meta, WhatsApp, Apple, Adobe, and Coca-Cola. They initiate conversations that build rapport before directing victims to attacker-controlled environments where credential harvesting occurs.

Data at Risk

When accounts are compromised through this operation, attackers collect far more than just passwords. The stolen data includes login credentials, two-factor authentication codes, personal business information, and government identification documents. This comprehensive data collection enables attackers to maintain persistent access and resell accounts with full control to other threat actors.

The exfiltrated data flows to Telegram channels operated by the attackers, where it is organized and monetized through illicit storefronts.

The Business Model Behind the Threat

What distinguishes AccountDumpling from isolated phishing campaigns is its commercial infrastructure. The stolen accounts are not simply used by a single group of attackers. Instead, they are resold through criminal marketplaces, creating a dark market around stolen Facebook assets. This includes trading account access, business identity information, advertising reputation, and even account recovery services.

This business model ensures the operation remains profitable and sustainable. The infrastructure continuously evolves to avoid detection while maintaining the operational capacity to steal and monetize stolen credentials at scale.

Why This Matters for Your Organization

The abuse of Google AppSheet highlights a critical vulnerability in how organizations approach email security. Many businesses trust email authentication protocols and the reputations of platforms like Google to filter threats. However, when legitimate platforms are compromised or weaponized, these security assumptions fail.

Facebook Business accounts are particularly valuable targets. These accounts often manage advertising budgets, customer relationships, and brand communications. Compromised accounts can be used to launch follow-on attacks, commit fraud, damage brand reputation, or facilitate further credential theft through trusted channels.

The scale of this operation is significant. With 30,000 accounts compromised, the potential impact extends across numerous organizations, industries, and geographic regions. The attacks specifically target business users rather than individual consumers, suggesting a focused effort to maximize the value of stolen credentials.

Protecting Your Facebook Business Accounts

Organizations should implement comprehensive security measures to protect their Facebook Business accounts from this and similar threats.

First, enable multi-factor authentication on all Facebook Business accounts. While attackers can capture two-factor codes during the phishing process, this additional layer still raises the bar for attackers and enables account recovery procedures.

Second, train employees to recognize phishing indicators. Even sophisticated attacks have behavioral signals. Unsolicited urgent requests, unexpected verification demands, and offers that seem too good to be true should trigger skepticism.

Third, implement email authentication and filtering at the organizational level. While AppSheet emails pass standard authentication, advanced email filtering services can identify anomalies in sender behavior and content patterns.

Fourth, monitor account activity for signs of compromise. Unusual login locations, changes to security settings, or unexpected administrative actions should trigger investigation.

Finally, establish clear incident response procedures for compromised accounts. The faster an organization can detect and respond to a compromise, the less damage can occur.

The Broader Threat Landscape

The AccountDumpling operation reflects a broader trend in cybercrime. Threat actors increasingly recognize that legitimate platforms offer the credibility and infrastructure needed for successful social engineering at scale. Rather than building infrastructure from scratch, they weaponize existing services.

This pattern extends across platforms. Google Drive, Netlify, Vercel, and Canva are all legitimate services with strong security reputations being misused for phishing and credential theft. The shared responsibility model means both platform providers and users must actively manage risks.

Conclusion

The discovery of the AccountDumpling campaign serves as a reminder that sophisticated cybercrime operations operate as commercial enterprises. They invest in infrastructure, evolve their tactics, and optimize their operations for profit. Defending against these threats requires vigilance, layered security controls, and an understanding that trusted platforms can be weaponized.

Organizations managing Facebook Business accounts should review their security posture, ensure multi-factor authentication is enabled, and educate employees about the evolution of phishing tactics. The tools attackers use may be legitimate, but their intent is not. Awareness and security discipline remain the most effective defenses against credential theft at scale.