01.05.2026
2 min
179
Cybercriminals hijacked tens of thousands of Facebook accounts using infected browser extensions. The campaign was well-organized and went unnoticed for a long time.
Researchers recently discovered a large scale Phishing Campaign using Google AppSheet as a “Repeater” for sending emails to victims. This is believed to have occurred from Vietnam. The primary purpose of this campaign is to obtain access to the victim’s Facebook Accounts; once obtained, the attacker can sell these accounts to generate income.
This campaign has been labeled “AccountDumpling” by researchers at Guardio. They estimate approximately 30 thousand accounts were compromised in this campaign. Once access was gained, the attackers would resell these accounts via an underground online marketplace they had established and controlled.
According to Shaked Chen, the AccountDumpling Attack was unlike most common phishing campaigns. Instead of using pre-built phishing kits, the attackers ran what appears to be a live operation, with real time control over the phishing panels. In addition to having operator panels and real-time updates, the fraud evasions and continuous evolution made it difficult to detect and track down. Additionally, the criminals created a commercial cycle where the stolen accounts are fed back into the system as they are being stolen.
The initial phishing attempt occurred via email. These emails were usually sent to business account owners and stated something along the lines of; “You must act now or your page will be deleted.” As seen with many successful phishing attempts, the email appeared to be legitimate. Many users do not realize that the domain listed for [email protected] belongs to Google AppSheet. Due to the fact that spammers rarely use legitimate domains, many spam filters do not flag emails coming from reputable companies.
Once again, emotion played a major role in getting the user to take action quickly enough to fall victim. The user felt compelled to react immediately by clicking on the link provided. This link lead to a fake login page.
Facebook has been plagued by multiple waves of cyberattacks designed to create widespread panic. Each attack involved a variety of fake scenarios: Account blocked (or locked). Copyright complaint. Verification request. Job offer. Suspicious login report.
Researchers have identified three main ways that the fraudsters employed to carry out these schemes:
Fraudulent Facebook Help Center Pages hosted on Netlify. These were not only able to take over users’ accounts but collect additional sensitive personal information such as date of birth, phone number, ID photo and other similar information. All of the information gathered would be relayed to fraudster’s Telegram Channels.
Blue badge (i.e., verified), secure-looking pages hosted on Vercel. After simulating CAPTCHA they would attempt to gather users’ contact information, businesses, usernames/passwords, and two-factor authentication codes.
Disguised instruction PDF files (created using free Canva accounts) hosted on Google Drive. Users would be required to provide sensitive information such as password, 2FA code, document photo, and/or browser screenshot(s).
Approximately 30,000 records of victims were discovered in Telegram channels connected to this fraudulent operation. The majority of the victims came from the United States, Italy, Canada, Philippines, India, Spain, Australia, UK, Brazil and Mexico; and most had lost control of their accounts.
Regarding the masterminds behind this scheme there is circumstantial evidence suggesting it may originate from Vietnam. For example, the name “PHạM TÀI TÂN” appeared within the metadata of the PDF files. Following OSINT research on this name, the researcher located the domain name phamtaitan[.]vn. This domain name appears to be owned by PHẠM TÂI TÂN, who according to his website is a digital marketing service provider.
Although Pham Tai Tan describes himself on social media as a marketing consultant and services provider, all of the evidence indicates he is engaged in something far more nefarious.
According to Chen’s findings this is merely one small part of what can best be described as an underground marketplace for stolen Facebook profiles. He believes that anything can be bought here — access to your profile, business page management rights, advertising credibility/branding rights and even Facebook account recovery services.
Again, as Chen so astutely observed, legitimate platforms are increasingly becoming nothing more than vehicles for distributing phishing scams, hosting phishing and ultimately profiting off stolen user data.
