AppSheet phishing operation stole about 30,000 Facebook accounts

Security firm Guardio found a phishing operation that used Google AppSheet ‘[email protected]’ to send emails that led to the theft of about 30,000 Facebook Business accounts. The campaign has been labeled AccountDumpling.

Emails impersonated Meta Support and told business account owners to submit an appeal or face permanent deletion. Messages were sent from an AppSheet address to bypass spam filters and directed recipients to fake web pages that collected login credentials and identity documents. The activity was observed over recent weeks.

Investigators mapped four main phishing clusters. One used Netlify-hosted pages posing as Facebook help portals to collect dates of birth, phone numbers and photos of government IDs before forwarding the data to Telegram. A second used Vercel-hosted pages promising blue verification badge checks and gated pages with a bogus CAPTCHA; after a forced retry these pages captured contact details, business information, credentials and two-factor authentication codes.

A third cluster used Google Drive-hosted PDF instructions that redirected users to phishing landing pages. Those PDFs were generated with a free Canva account and used html2canvas to capture browser screenshots along with passwords, 2FA codes and ID photos. The fourth cluster consisted of fake job offers that impersonated companies such as WhatsApp, Meta and Apple to lure targets into calls or onto attacker-controlled sites.

Guardio reported that Telegram channels tied to the first three clusters contained about 30,000 victim records. Most victims were located in the United States, Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil and Mexico. Many account owners were locked out and the stolen assets were offered for sale on an illicit storefront run by the operators.

Metadata in the Canva-generated PDFs listed the name PHẠM TÀI TÂN as author, and open-source traces pointed to a website at phamtaitan[.]vn offering digital marketing services under the same name. Security researcher Shaked Chen wrote in a report: ‘What we found wasn’t a single phishing kit. It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.’

Guardio noted the actors used legitimate cloud and document services as delivery, hosting and exfiltration layers to increase deliverability and evade detection. The firm said access to Facebook accounts, business identity, ad reputation and account recovery mechanisms are treated as tradable commodities on underground markets.

The activity follows other phishing efforts that exploit Meta-related panic themes such as account disablement, copyright complaints and verification reviews, using trusted platforms to harvest credentials and sensitive personal data from business account holders.