A Vietnamese threat actor group designated AccountDumpling compromised approximately 30,000 Facebook accounts through a phishing campaign leveraging Google AppSheet as a relay infrastructure. The attackers configured AppSheet, Google's low-code application platform, to distribute phishing emails designed to harvest Facebook credentials. Once stolen, the threat actors monetized the compromised accounts by selling them through an illicit storefront operated by the group.
The use of legitimate Google infrastructure represents a notable evasion technique. AppSheet's trusted status reduces email filtering friction and increases user susceptibility to credential harvesting. Defenders should monitor for phishing emails originating from AppSheet domains or subdomains and implement email authentication controls including DMARC, SPF, and DKIM enforcement.
Organizations should educate users on phishing indicators and enforce multi-factor authentication on all critical accounts. Facebook users should enable login alerts and review connected apps. Security teams should treat compromised social media accounts as potential pivot points for further attacks, particularly in credential stuffing campaigns targeting employee accounts at target organizations.