A new report that shows the sophistication of contemporary digital fraud describes an operation linked to Vietnam that has exploited legitimate services like Google AppSheet to mount what researchers have called a phishing relay and put stolen Facebook accounts on the market. The campaign, nicknamed AccountDumpling by the firm that investigated the case, is not a mere isolated phishing kit: it is a living structure with real-time operating panels, constant developments and a criminal business cycle that turns access to accounts into a commercial commodity, according to analyses published by researchers who gave the alarm voice.
The mechanics of the attack combines social engineering and abuse of reliable platforms: emails that appear to come from the support of Meta, sent from a legitimate sender of AppSheet ("noreply @ appsheet.com") to remove anti-spam filters, target victims (usually account holders or Facebook businesses) to false pages hosted in services such as Netlify, Vercel or Google Drive. These pages mimic verification processes, documentation submission or policy reviews and are designed to capture credentials, 2FA codes, identification photographs and browser metadata. Some of the information collected ends up centralized in channels controlled by the attackers in Telegram, and the records seized point to a 30,000 committed accounts with victims in multiple countries.
The picture that is drawn has important implications for companies and users: in addition to direct damage due to loss of access, advertising theft and supplanting, there is a secondary market that monetizes business reputation, business identity and account recovery processes, which encourages more attacks. It is also worrying that malicious actors systematically use free or easily accessible public suppliers (AppSheet, Netlify, Vercel, Google Drive, Cova) to deliver malicious content, taking advantage of the confidence of filters and users themselves on these platforms.
To reduce the individual and corporate risk, there are concrete measures that should be applied immediately: not responding to urgent emails requesting credentials or following links from unverified messages; always checking the authenticity of the contact channel through the official Meta console or the business account on Facebook; activating more robust authentication methods such as physical keys (FIDO2 / WebAuthn) or authentication applications instead of SMS; review and revoke active sessions, application permissions and third party accesses from account configuration; and audit roles and permissions in page administrators and advertising accounts. At the technical level, organizations should strengthen mail policies with SPF, DKIM and DMARC, set up advanced filters and train teams and customers on regular lures such as false verification processes or alleged job offers of large brands.
In addition to reactive actions, cooperation between platform providers, security firms and authorities to detect and dismantle infrastructure that serves as "layers" of fraud is key. Suppliers such as AppSheet, Cova, Netlify or Vercel face the challenge of balancing availability and abuse: improving the detection of templates used in phishing, vetting the automation of PDFs or malicious pages and accelerating the response to reports are necessary steps to cut off the commercial circuit of the scam.
If you suspect that your Facebook account has been compromised, use only the official recovery channels provided by Meta and document any suspicious communication before acting; keep catches and emails for possible research. In order to deepen the context and findings reported by security researchers, you can consult news and awareness sources such as The Hacker News and resources of training in phishing and simulation of attacks such as KnowBe4 as well as the official documentation of Target on corporate security in Facebook Business Help. The lesson is clear: security is no longer only technical, it is also a battle for trust in platforms; strengthening it requires technical measures, processes and continuing education.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...