Vietnamese phishing operation hijacks 30k Facebook accounts

Researchers uncovered a live criminal operation routing phishing emails through Google's own infrastructure to bypass spam filters, selling stolen accounts back through an illicit storefront run by the same group.

What happened

A Vietnamese-linked phishing operation codenamed AccountDumpling has compromised approximately 30,000 Facebook accounts, primarily targeting Facebook Business account owners with fake Meta Support emails urging them to submit an appeal or risk permanent deletion. According to The Hacker News, the campaign routes phishing emails through Google AppSheet's notification address, noreply@appsheet.com, allowing messages to pass spam filters that would flag unknown sender domains. Victims are directed to fake pages hosted on Netlify, Vercel, and Google Drive that harvest credentials, two-factor authentication codes, government ID photos, and browser screenshots, and exfiltrate the stolen data directly to Telegram channels controlled by the attackers. The stolen accounts are then resold through an illicit storefront operated by the same group.

Going deeper

Researchers identified four distinct campaign clusters. The first uses Netlify-hosted fake Facebook help center pages to capture credentials, as well as dates of birth, phone numbers, and government ID photographs. The second employs Vercel-hosted pages that impersonate Meta's Privacy Center, gated by a fake CAPTCHA before presenting the credential-harvesting form. The third distributes Google Drive-hosted PDFs that masquerade as account verification instructions, using the html2canvas tool to capture browser screenshots, including passwords and 2FA codes. The fourth sends fake job-offer emails impersonating companies such as WhatsApp, Meta, Adobe, and Apple to build rapport before directing targets to attacker-controlled sites. Researchers attributed the operation to a Vietnamese digital marketing firm after metadata in PDFs generated with a free Canva account listed a Vietnamese author, leading to the discovery of an openly registered website offering digital marketing services under the same name.

What was said

Researchers stated in their analysis shared with The Hacker News that the campaign was "not a single phishing kit" but "a living operation with real-time operator panels, advanced evasion, continuous evolution, and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back." Researchers described the broader pattern as "trusted platforms repurposed as delivery, hosting, and monetization layers," noting that AppSheet, Netlify, Vercel, Google Drive, Canva, and Telegram all served functional roles in the attack chain without any of those platforms being compromised.

In the know

Vietnamese threat actors have run sustained Facebook Business account targeting campaigns for several years. According to BleepingComputer, a prior Vietnamese-linked operation targeted approximately 100,000 Facebook Business accounts per week using Messenger as a delivery vector, with stolen accounts resold on Telegram and dark web markets. The AccountDumpling operation follows the same monetization model. Still, it adds a more sophisticated trusted-platform delivery chain that was not present in earlier campaigns, showing the same adoption of legitimate infrastructure documented across other 2026 phishing operations.

The big picture

Healthcare organizations that use Facebook Business accounts for patient outreach, appointment reminders, or community health advertising are within the scope of this campaign. A compromised Facebook Business account gives attackers access to advertising credits and audience data, and the ability to run malicious ads under a trusted brand identity, enabling them to target the organization's own patient community with further phishing attempts. The campaign also proves a structural pattern that has recurred in 2026: attackers using Google AppSheet, GitHub, Jira, n8n, and other recognized platforms as delivery infrastructure, specifically to exploit the trust those platforms carry with email security filters. Microsoft's Q1 2026 email threat data documented 8.3 billion phishing emails detected in a single quarter, with trusted platform abuse among the fastest-growing delivery techniques as attackers systematically move toward infrastructure that authentication checks cannot flag.

FAQs

Why does sending phishing emails from a Google AppSheet address bypass spam filters?

Spam filters assess sender reputation based on the sending domain and IP address. A message sent from noreply@appsheet.com comes from Google's own infrastructure, which carries a high trust score. The filter has no way to distinguish a legitimate AppSheet notification from a malicious one, because both originate from the same authorized sender.

What makes Facebook Business accounts particularly valuable to attackers?

Facebook Business accounts are linked to advertising budgets, billing information, and established audience relationships. Attackers can drain advertising credits, run malicious campaigns under the compromised brand's trusted identity, or sell the account to other criminal operators seeking a seasoned account with a positive ad history to avoid Meta's fraud detection.

How does the criminal-commercial loop work in this operation?

The same group that steals accounts also sells account recovery services, meaning victims who lose access may unknowingly pay the attackers who stole their account to recover it. The loop creates a recurring revenue stream from the same victim pool.

Why does distributing PDFs through Google Drive add legitimacy to the attack?

A link to a Google Drive-hosted file bypasses reputation-based URL filtering because the destination domain is drive.google.com, not a suspicious or unknown domain. Recipients are also accustomed to receiving Google Drive links as a normal part of professional communications, reducing the suspicion that a direct phishing link would raise.

What should organizations do if a Facebook Business account is compromised?

Immediately revoke all active sessions through Facebook's security settings, remove any unfamiliar users with admin access to the Business Manager, review ad account activity for unauthorized campaigns, and contact Meta's Business Support to flag the compromise. Organizations should also check whether the compromised account was used to run ads targeting their own patient or customer communities, as those audiences may have been exposed to further phishing attempts.