Trusted platforms fuel Facebook account theft

More than 30,000 Facebook accounts have been compromised in a large phishing operation that exploited trusted internet services to make fraudulent messages appear legitimate, sharpening concerns over how cybercriminals are turning mainstream cloud tools into delivery channels for account theft.

Cybersecurity researchers have identified the campaign as AccountDumpling, a Vietnamese-linked operation aimed largely at Facebook Business users, page administrators and account operators. The attackers used Google AppSheet to send authenticated emails, Netlify and Vercel to host deceptive pages, Google Drive to deliver phishing documents, and Telegram bots to collect stolen credentials and identity data.

The operation marks a shift from older phishing methods built around spoofed domains, poor email authentication and suspicious servers. Messages in this campaign came through genuine Google infrastructure, including AppSheet notification systems, allowing them to pass common authentication checks such as SPF, DKIM and DMARC. That gave the emails a level of credibility that many security filters are designed to trust.

Victims were typically told their Facebook page had been flagged for a policy violation, copyright complaint, account lock or verification review. Some emails warned that access would be permanently disabled unless the recipient acted within 24 hours. Others offered blue badge evaluation, advertising rewards or recruitment opportunities linked to well-known brands.

The lures were designed to create either panic or opportunity. Users who clicked were directed to pages mimicking Facebook or Meta support flows, where they were asked to submit passwords, phone numbers, dates of birth, two-factor authentication codes and, in some cases, government-issued identity documents. These details could allow attackers not only to enter accounts but also to obstruct recovery attempts by the rightful owners.

One major cluster used Netlify-hosted fake Facebook Help Centre pages. Each target could be sent to a unique subdomain, reducing the usefulness of blocklists and takedown notices. Some pages collected full account recovery data, while later versions moved exfiltration logic to serverless functions, making the flow harder for defenders to inspect.

A second cluster relied on Vercel-hosted pages offering blue badge checks or advertiser benefits. These pages used fake CAPTCHA screens, countdown timers and multi-step forms to appear more credible. Victims were pushed through repeated password entries and multiple requests for two-factor authentication codes while the attackers validated credentials in real time.

A third strand used Google Drive-hosted PDFs created through Canva. The documents appeared to contain Meta-related verification instructions, but embedded links redirected users to interactive phishing panels. These panels gave operators live control over the session, allowing them to respond to user actions, request additional codes or ask for identity documents while the victim remained on the page.

A fourth cluster used fake recruitment approaches impersonating companies such as Meta, WhatsApp, Adobe, Pinterest, Apple and Coca-Cola. Rather than immediately harvesting credentials through a form, these messages attempted to move the target into a conversation, often through a call or attacker-controlled site. This made the activity harder to classify as conventional phishing at the email stage.

Telegram played a central role in the operation. Stolen data was routed through several bots into private channels where operators could monitor credentials as they arrived. Researchers estimated roughly 30,000 victim records across the bot infrastructure, with new records still appearing during the investigation. One dataset showed a heavy concentration of victims in the United States, followed by users in Italy, Canada, the Philippines, India, Spain, Australia, the UK, Brazil and Mexico.

The campaign also showed signs of commercialisation. Stolen accounts were not merely used for one-off access. They appeared to feed a wider market in which hijacked business pages, advertising accounts, identity material and account recovery services could be resold. That cycle creates a damaging loop: attackers steal access, lock out the victim, and then monetise the same access through underground services or recovery offers.