Full Report
A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a "phishing relay" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are
Analysis Summary
# Incident Report: Project AccountDumpling Phishing Campaign
## Executive Summary
A Vietnamese-linked threat actor group utilized Google AppSheet as a "phishing relay" to bypass email security filters and harvest Facebook credentials. The operation successfully compromised approximately 30,000 Facebook accounts, which were subsequently monetized through an illicit storefront.
## Incident Details
- **Discovery Date:** September 2023 (Reported by Guardio)
- **Incident Date:** Ongoing at time of discovery
- **Affected Organization:** Meta (Facebook users)
- **Sector:** Social Media / Individual Users
- **Geography:** Global (Campaign originated from Vietnam-linked actors)
## Timeline of Events
### Initial Access
- **Date/Time:** 2023
- **Vector:** Phishing via Google AppSheet
- **Details:** Attackers leveraged Google AppSheet's legitimate automation features to send emails. Because the emails originated from trusted Google servers (e.g., `appsheet[.]com`), they successfully bypassed traditional Secure Email Gateways (SEGs) and landed in user inboxes.
### Lateral Movement
- **Movement:** Not applicable in a traditional corporate network sense; the attack moved from the "phishing relay" to the victim's local browser and then to the attacker’s command-and-control (C2) server.
### Data Exfiltration/Impact
- **Compromise:** Users were directed to a fake Facebook login page.
- **Exfiltration:** Captured credentials and session cookies were sent back to the threat actors' database.
### Detection & Response
- **Detection:** Discovered by Guardio researchers through telemetry analysis showing an abuse of the AppSheet platform.
- **Response Actions:** Google was notified of the abuse; Guardio blocked the malicious domains for their users and published findings to alert the public.
## Attack Methodology
- **Initial Access:** Phishing emails sent via a legitimate AppSheet app integration.
- **Persistence:** Not applicable; focused on credential harvesting.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of trusted Google infrastructure (`appsheet[.]com`) to avoid "untrusted sender" flags or domain reputation filters.
- **Credential Access:** Credential harvesting via look-alike Facebook login pages.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** Automated collection of usernames and passwords through the phishing landing page.
- **Exfiltration:** HTTPS POST requests to attacker-controlled infrastructure.
- **Impact:** Theft of personal accounts for resale on the dark web or illicit storefronts.
## Impact Assessment
- **Financial:** High for victims (potential for identity theft or further scams); significant revenue generation for the threat actor storefront.
- **Data Breach:** Approximately 30,000 Facebook accounts compromised.
- **Operational:** Disruption to individual users; loss of access to business pages managed by these accounts.
- **Reputational:** Minimal for platforms, but demonstrates the ongoing vulnerability of "Living off trusted Cloud Services" (LoTCS).
## Indicators of Compromise
- **Network indicators:**
- `appsheet[.]com` (Abused legitimate domain)
- `facebook-security-verification[.]com` (Example phishing domain - defanged)
- **File indicators:** N/A (Web-based attack).
- **Behavioral indicators:** Redirection from a Google-hosted application to an external, non-Facebook domain requesting login credentials.
## Response Actions
- **Containment:** Removal of the malicious AppSheet applications by Google following report.
- **Eradication:** Shutdown of associated phishing landing pages.
- **Recovery:** Users were advised to change passwords and enable Two-Factor Authentication (2FA).
## Lessons Learned
- **Key takeaways:** Threat actors are increasingly moving away from hosting their own mail servers in favor of abusing legitimate SaaS platforms (Google, Microsoft) to ensure delivery.
- **Platform Abuse:** "Trust" in a domain (like Google.com) does not equate to the platform's content being safe.
## Recommendations
- **Platform Providers:** Implement stricter rate limiting and content inspection on automated email features within low-code/no-code platforms like AppSheet.
- **Organizations:** Update email security policies to inspect the body content and final destination URLs of emails, even if the sender domain is reputable.
- **Individual Users:** Always utilize hardware security keys or authenticator apps for 2FA, as basic SMS or password-only authentication is easily bypassed by this type of "AccountDumpling" relay.