Vietnamese Hackers Exploit Google AppSheet to Breach 30,000 Facebook Accounts
By ● min read
<article>
<h2 id="overview">Cybercriminals Turn Google’s Own Tool Into a Phishing Weapon</h2>
<p>Security researchers at Guardio have uncovered a sophisticated phishing campaign — dubbed <strong>AccountDumpling</strong> — that leverages Google’s low-code platform <strong>Google AppSheet</strong> to trick victims into handing over their Facebook credentials. The operation, believed to originate from Vietnam, has already compromised roughly <strong>30,000 Facebook accounts</strong>, which are then sold on an illicit storefront run by the same threat actors.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilUS_xmTpvaJtwhFTnxsBtKSx2hWroMJKWUCKeB_CNx_9-5T85bdpqGfTZ0__XITi-i6ZnndaiiiFggf3Cgf-35KK-G6sEwvnlqom2DK6U-oH_o9GhEGNyd9kiSti-QC_dpl3v7b7IniC9kAUzV265yVbVsWAnLnH1RfQxrftUHj5MFAm03MOBw3Z6UEVb/s1600/phish.jpg" alt="Vietnamese Hackers Exploit Google AppSheet to Breach 30,000 Facebook Accounts" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure>
<p>Unlike classic phishing attacks that rely on fake login pages hosted on shady domains, this campaign hijacks the trust associated with Google services. By using AppSheet as a “phishing relay,” attackers send emails that appear legitimate and direct users to a credential-stealing page hosted within the Google ecosystem. This makes the scheme harder to detect for both users and email filters.</p>
<h2 id="how-it-works">How the AppSheet Phishing Relay Works</h2>
<p>Google AppSheet is a no-code platform widely used by businesses to build custom applications. Attackers abuse its ability to create web forms and <strong>redirect users</strong> to external URLs. The <a href="#stepbystep">attack flow</a> proceeds as follows:</p>
<ol>
<li><strong>Phishing email sent</strong> — The victim receives a message appearing to come from Facebook or a related service, often with a sense of urgency (e.g., “suspicious login attempt” or “account restricted”).</li>
<li><strong>Link points to AppSheet</strong> — The email contains a link that opens a Google AppSheet-generated form or page. Because the domain is <em>appsheet.com</em> or a subdomain, it passes many email security checks.</li>
<li><strong>Credential harvesting</strong> — The AppSheet page either directly asks for Facebook credentials or redirects to a fake Facebook login page hosted elsewhere. The stolen data is then exfiltrated to the attackers’ server.</li>
<li><strong>Account takeover and resale</strong> — Once the credentials are verified, the threat actors take control of the Facebook account and add it to their inventory on a dedicated storefront, selling each account for a few dollars.</li>
</ol>
<h3 id="stepbystep">Step-by-Step Infection Chain</h3>
<p>Guardio’s analysis reveals that the attackers exploited AppSheet’s “form” and “automation” features to create a seamless relay. The platform allowed them to:</p>
<ul>
<li>Generate anonymous forms that log submissions.</li>
<li>Set up server-side redirects without needing their own infrastructure.</li>
<li>Use Google’s own certificates to avoid SSL warnings.</li>
</ul>
<p>This technique, sometimes called <em>living off the land</em>, makes the phishing campaign significantly more resilient to takedown efforts. When one AppSheet app is removed, the attackers can quickly spin up another.</p>
<h2 id="impact">Scale of the AccountDumpling Campaign</h2>
<p>As of the report, approximately <strong>30,000 Facebook accounts</strong> have been compromised. The stolen accounts are sold through a private Telegram channel and a web-based marketplace that accepts cryptocurrency. Prices range from $5 to $15 per account, depending on the account’s age, friend count, and activity level.</p>
<p>The campaign appears to target users globally, with a slight concentration in Southeast Asia and the United States. Because the phishing emails are crafted in multiple languages, the operation has a broad reach. Guardio researchers note that the attackers have been active for <strong>at least six months</strong>, indicating a well-organized, persistent threat.</p>
<h2 id="why-it-works">Why This Attack Is So Effective</h2>
<p>Several factors contribute to the success of the AppSheet phishing relay:</p>
<ul>
<li><strong>Trust in Google domains</strong> — Many users and security tools automatically whitelist Google-owned URLs, bypassing typical email filters.</li>
<li><strong>Low cost and easy setup</strong> — AppSheet’s free tier allows attackers to create malicious apps at no charge, and the platform requires minimal technical skill.</li>
<li><strong>Abuse of legitimate functionality</strong> — AppSheet is designed for building useful apps, not for hosting phishing pages. Its moderation and abuse detection are not optimized for this threat.</li>
<li><strong>Rapid account turnover</strong> — Once a Facebook account is stolen, the attackers quickly change the password and enable two-factor authentication (2FA) to lock out the genuine owner.</li>
</ul>
<h2 id="defense">How to Protect Your Facebook Account</h2>
<p>Both individuals and organizations can take steps to guard against this type of phishing:</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="Vietnamese Hackers Exploit Google AppSheet to Breach 30,000 Facebook Accounts" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure>
<h3>For Individuals</h3>
<ul>
<li>Always check the URL before entering credentials — even if it starts with <code>https://</code> and looks official. Hover over links to preview the destination.</li>
<li><strong>Enable two-factor authentication (2FA)</strong> using an authenticator app, not SMS. This adds a layer of protection even if credentials are stolen.</li>
<li>Be wary of urgent messages claiming your account will be disabled. Instead of clicking the link, log in directly by typing <code>facebook.com</code> into your browser.</li>
<li>Use a password manager that warns you about duplicate or suspicious login pages.</li>
</ul>
<h3>For Organizations</h3>
<ul>
<li>Train employees to recognize phishing emails that abuse trusted platforms like Google, Microsoft, or Apple.</li>
<li>Implement email security solutions that perform <strong>link sandboxing</strong> and scan for malicious redirects.</li>
<li>Monitor for unusual outbound traffic from corporate devices that could indicate credential theft.</li>
</ul>
<h2 id="google-response">Google’s Role and Mitigation</h2>
<p>Google has been notified of the AccountDumpling campaign. The company’s security team typically responds by removing malicious AppSheet apps and updating their automated detection systems. However, because AppSheet is a platform for legitimate businesses, Google must balance abuse prevention with usability. Users who encounter a suspicious AppSheet form can <a href="https://support.google.com/appsheet/answer/10369087?hl=en" target="_blank">report it through official channels</a>.</p>
<p>In the meantime, users are advised to stay vigilant and adopt the <a href="#defense">protective measures</a> listed above. No platform is immune to abuse, and attackers will continue to find creative ways to exploit legitimate services.</p>
<h2 id="conclusion">Final Thoughts</h2>
<p>The AccountDumpling campaign highlights an evolving trend in cybercrime: leveraging trusted platforms as stepping stones for attacks. By abusing Google AppSheet, the Vietnamese-linked group was able to bypass traditional defenses and compromise tens of thousands of Facebook accounts. As low-code and no-code platforms proliferate, security teams must adapt their threat models to account for <em>trust abuse</em> attacks. Meanwhile, users should always treat unexpected login prompts with skepticism — even when they come from a familiar domain.</p>
</article>
Tags: