Google AppSheet Exploited in 30,000-User Facebook Phishing Operation

Summary

Guardio Labs uncovered a sophisticated phishing operation code-named AccountDumpling that abuses Google AppSheet and Google Drive to bypass email authentication and compromise Facebook Business accounts. The campaign uses four distinct attack clusters—including fake copyright complaints, social engineering lures, live operator panels via Google Drive PDFs, and fake job recruitment—and has affected over 30,000 users predominantly in the US, UK, Canada, and Italy. Stolen credentials are funneled to Telegram bots and sold on a dark marketplace run by aliases "Big Bosss" and "@mansinblack," representing a professional supply-chain operation.

Full text

Security Phishing ScamGoogle AppSheet Exploited in 30,000-User Facebook Phishing Operation Scammers are abusing Google AppSheet and Google Drive to bypass security filters and steal thousands of Facebook Business accounts globally. byDeeba AhmedMay 2, 20262 minute read Cybersecurity researchers at Guardio Labs have discovered a massive phishing operation that uses Google’s own infrastructure to hijack Facebook accounts. This research reveals a Vietnamese-linked operation code-named AccountDumpling that has already compromised over 30,000 users globally. AppSheet Abuse Guardio Labs researchers explained in the report that this campaign abuses the notification system of Google AppSheets (a no-code tool designed for business automation). By using this service, hackers send emails from [email protected] and appsheet.bounces.google.com. These emails originate from Google’s servers, and that’s why passing the authentication checks like SPF, DKIM, and DMARC becomes possible. Researchers noted that the phishing lures involve Meta-related themes. Such as fake copyright complaints or account disablement warnings. One email from April 2026 included the text “Case ID: 6480258166” and warned of permanent disablement within 24 hours. Technical Methods and Attack Clusters Researchers noted that this isn’t just one simple trick. The operation is split into different methods, or clusters, to catch different types of victims: Cluster A- Netlify Clones: Some attackers used a tool called HTTrack to copy the Facebook Help Centre. They hosted these on Netlify to steal passwords and photos of government IDs. Cluster B- The Reward Trap: Another group used social engineering to lure users, such as by promising Blue Badge verification. They used zero-font tactics like Cyrillic homoglyphs (a Cyrillic “а” instead of a Latin “a”) and hair spaces (invisible Unicode characters) to bypass spam filters. Cluster C- Live Control: This cluster is the scariest as it is highly advanced. It uses a Google Drive-hosted PDF and Socket IO and WebSockets to create a live operator panel. When the victim clicks on it, the hackers can interact with the victims in real-time to request 2FA (two-factor authentication) codes. Cluster D: This involves fake job recruitment for brands like Adobe, Apple, and Coca-Cola, and redirects victims to private WhatsApp chats. Attack clusters (Source: Guardio Labs) Attribution Further investigation revealed a clear trail leading back to Vietnam. A Canva-generated PDF file from the attack contained the name Phạm Tài Tân in the metadata. This same name is linked to a business that openly ‘helps’ people recover locked Facebook accounts. According to researchers, the data stolen by these kits is sent to Telegram bots like @haixuancau_bot and @globalglobalglobalbot_bot. These channels are run by users known by their aliases “Big Bosss” and “@mansinblack.” While the attack is global, 68.6% of the victims in the main dataset were from the United States, followed by the UK, Canada, and Italy. Guardio Labs warned that this is a professional supply chain. One group steals the account, and another sells the access back or uses it for fraud. It’s a dark business model that turns user trust into a product. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Attack clusters (Source: Guardio Labs) AccountDumplingAppSheetCyber AttackCybersecurityFacebookFraudGoogleGoogle DrivePhishingScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Cyber Crime Dark Web Security Cybercrime Forum XSS Returns on Mirror and Dark Web 1 Day After Seizure Cybercrime forum XSS is back online on its mirror and dark web domains just one day after seizure and admin arrest, but questions about its full return remain unanswered. byWaqas Read More Security Artificial Intelligence 7,000 Exposed Ollama APIs Leave DeepSeek AI Models Wide Open to Attack UpGuard discovers exposed Ollama APIs revealing DeepSeek model adoption globally. See where these AI models are running and the security risks involved. byWaqas Read More Security Data Breaches Leaks Privacy Unsecured Database Exposes Data of 3.6 Million Passion.io Creators A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs… byDeeba Ahmed Read More Cyber Crime Security Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak Note: The names of both employees have been removed for privacy reasons, following a request from Google. We are now referring to them as Worker 1 and Worker 2. byWaqas

Indicators of Compromise

• domain — appsheet.bounces.google.com
• malware — AccountDumpling

Entities