{"id":12567,"date":"2026-05-02T10:03:41","date_gmt":"2026-05-02T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/02\/attackers-abuse-google-appsheet-netlify-and-telegram-in-facebook-phishing-campaign\/"},"modified":"2026-05-02T10:03:41","modified_gmt":"2026-05-02T10:03:41","slug":"attackers-abuse-google-appsheet-netlify-and-telegram-in-facebook-phishing-campaign","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/02\/attackers-abuse-google-appsheet-netlify-and-telegram-in-facebook-phishing-campaign\/","title":{"rendered":"Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign"},"content":{"rendered":"

Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated cybercriminal operation dubbed \u201cAccountDumpling\u201d has compromised approximately 30,000 Facebook accounts worldwide. <\/p>\n

Discovered by Guardio Labs<\/a>, this Vietnamese-linked campaign abuses Google\u2019s AppSheet platform to bypass traditional email security filters. <\/p>\n

By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials and identity documents. These stolen Facebook Business accounts<\/a> are subsequently monetized or resold back to victims through an illicit storefront.<\/p>\n

The foundation of this campaign relies on hijacking platform trust rather than spoofing domains. The threat actors use Google AppSheet, a legitimate no-code app-building service, to distribute malicious notifications. <\/p>\n

\"Email
Email phishing (Source: Guard Labs)<\/figcaption><\/figure>\n

Because these emails are sent directly from Google servers using the address\u00a0noreply@appsheet.com, they easily pass SPF, DKIM, and DMARC authentication checks. <\/p>\n

\"Account
Account Dumpling (Source: Guard Labs)<\/figcaption><\/figure>\n

Security defenders and spam filters<\/a> consistently wave these messages through since Google genuinely owns the sending infrastructure. This forces victims to rely entirely on identifying the deceptive content within the message itself.<\/p>\n

Attack and Evasion Methodologies<\/strong><\/h2>\n

The operation is highly modular, employing four distinct phishing clusters to target victims based on different psychological triggers.<\/p>\n

\n\n\n\n\n\n\n\n\n
Cluster Type<\/th>\nLure Strategy<\/th>\nHosting Platform<\/th>\nTechnical Features<\/th>\n<\/tr>\n<\/thead>\n
Policy Violation<\/td>\nFake Facebook Help Center notices threatening permanent account disablement\u00a0<\/a>\n<\/td>\nNetlify\u00a0<\/a>\n<\/td>\nHTTrack cloning artifacts, unique subdomains to evade blocklists, serverless functions for data exfiltration\u00a0<\/a>\n<\/td>\n<\/tr>\n
Reward Promise<\/td>\nInvitations for Blue Badge verification or exclusive advertiser rewards\u00a0<\/a>\n<\/td>\nVercel\u00a0<\/a>\n<\/td>\nUnicode obfuscation in preheaders, fake reCAPTCHA barriers, live credential validation scripts\u00a0<\/a>\n<\/td>\n<\/tr>\n
Live Control<\/td>\nUrgent Meta notices disguised as a clean, single-image notification\u00a0<\/a>\n<\/td>\nGoogle Drive (Canva PDFs)\u00a0<\/a>\n<\/td>\nWebSocket-based live phishing panels enabling real-time, human-in-the-loop interaction\u00a0<\/a>\n<\/td>\n<\/tr>\n
Social Engineering<\/td>\nFake senior job offers from prominent tech companies like Meta and Apple\u00a0<\/a>\n<\/td>\nOff-platform communication channels\u00a0<\/a>\n<\/td>\nCyrillic homoglyphs in sender display names, pivoting to live conversations to slowly build trust\u00a0<\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Behind the sophisticated front-end lures, the AccountDumpling operation relies entirely on Telegram bots for its command-and-control exfiltration. <\/p>\n

\"Telegram
Telegram Phishing Campaign(Source: Guard Labs)<\/figcaption><\/figure>\n

Stolen credentials, two-factor authentication codes, dates of birth, and government-issued ID photos are instantly routed to private Telegram channels. <\/p>\n

Operators actively monitor these streams to validate the stolen data <\/a>and execute account takeovers in real time. Telemetry from the recovered bot infrastructure indicates roughly 30,000 victim records have been processed. <\/p>\n

Geographic analysis reveals that 68.6 percent of the targeted individuals and businesses are located in the United States.<\/p>\n

\"Canva
Canva Generated Phishing (Source: Guard Labs)<\/figcaption><\/figure>\n

Guardio Labs successfully traced the core of the operation to a Vietnamese threat actor through a critical operational security failure. <\/p>\n

\"Phishing
Phishing Campaign (Source: guardLabs)<\/figcaption><\/figure>\n

A Canva-generated PDF used in the third attack cluster retained its author metadata, exposing the real name \u201cPH\u1ea0M T\u00c0I T\u00c2N\u201d. Investigators connected this name to a public business persona in Vietnam that actively advertises Facebook account recovery and security services. <\/p>\n

This reveals a circular criminal economy in which attackers steal valuable business assets, use them to run fraudulent campaigns, and then attempt to sell recovery services back to the original victims.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Dhivya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Attackers Abuse Google AppSheet, Netlify, and Telegram in Facebook Phishing Campaign A sophisticated cybercriminal operation dubbed \u201cAccountDumpling\u201d has compromised approximately 30,000 Facebook accounts worldwide. Discovered by Guardio Labs, this Vietnamese-linked campaign abuses Google\u2019s AppSheet platform to bypass traditional email security filters. By routing fully authenticated phishing lures through legitimate channels, the attackers successfully harvest credentials […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,163,124,1],"tags":[130],"class_list":["post-12567","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-google","category-phishing","category-uncategorized","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12567"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12567"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12567\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}