A large-scale phishing campaign has compromised more than 30,000 Facebook accounts by exploiting Google AppSheet, highlighting how attackers increasingly weaponize trusted platforms to bypass security defenses.
Researchers at Guardio Labs uncovered the campaign while analyzing a surge in phishing emails sent through AppSheet’s notification system. Unlike traditional phishing attacks, these emails originated from legitimate Google infrastructure, including noreply@appsheet.com and appsheet.bounces.google.com. As a result, they successfully passed SPF, DKIM, and DMARC authentication checks, making them appear highly credible and difficult to detect.
Initially, researchers believed the activity targeted a limited number of Facebook Business users. However, further investigation revealed a coordinated and multi-layered campaign operating at scale. Attackers leveraged multiple platforms such as Netlify, Vercel, Google Drive, and Telegram, all integrated into a centralized system for data exfiltration and monetization.
Guardio researchers identified four distinct activity clusters, each employing different social engineering strategies to compromise accounts. First, attackers created fake Facebook Help Center pages hosted on Netlify. These pages prompted victims to submit login credentials and sensitive identity information, including government-issued IDs. Notably, attackers used unique subdomains for each victim, allowing them to evade detection and blocklists.
Meanwhile, the second cluster introduced incentive-based lures such as “blue badge” verification or advertising rewards. Hosted on Vercel, these phishing pages used advanced evasion techniques, including Unicode obfuscation and multi-step credential harvesting processes. Consequently, attackers captured passwords and two-factor authentication codes in real time.
In addition, the third cluster demonstrated a more advanced approach by using Google Drive-hosted PDFs as bait. Designed using Canva, these documents contained embedded links leading to interactive phishing panels powered by WebSockets. This setup allowed attackers to interact with victims dynamically and adjust tactics during the attack.
Furthermore, the fourth cluster deviated from standard phishing techniques by impersonating recruiters from major brands such as Meta, WhatsApp, and Apple. These interactions initially appeared legitimate but later shifted to attacker-controlled environments.
Investigators also discovered multiple Telegram bots collecting stolen data and streaming it to attacker-controlled channels. Their analysis confirmed approximately 30,000 compromised accounts, with around 68% of victims located in the United States, followed by users across Europe, Asia, and the Americas.
Attribution efforts revealed a crucial clue within a Google Drive-hosted PDF. Metadata from the file identified a Vietnamese name, “Phạm Tài Tân,” which researchers linked to an online persona offering Facebook account recovery services. This connection suggests a monetization cycle where attackers resell stolen accounts or charge fees to “recover” them. Additionally, technical indicators, including Vietnamese-language code comments and bot naming conventions, point to a modular ecosystem involving multiple threat actors.
Security experts strongly advise users to avoid clicking on links in “urgent” emails, enable two-factor authentication, and continuously monitor account activity for any signs of unauthorized access.
Recommended Cyber Technology News:
- e& Backs MagicCube To Advance Post-Quantum Security
- Tenant Turner Launches Property Shield to Prevent Listing Fraud
- Silverfort Acquires Fabrix To Advance AI Identity Security
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
