Inside the AccountDumpling phishing operation against Facebook Business owners

The Vietnamese operation AccountDumpling uses the Google AppSheet service as a “phishing relay” to send emails on behalf of Meta and steal credentials from Facebook Business owners. Roughly 30,000 compromised accounts are then resold via an underground storefront, while the owners effectively lose control over their pages and ad accounts. Businesses and marketing agencies should already be explicitly blocking the “Meta via [email protected]” scenario, formalizing a procedure for verifying any notifications from Meta and immediately enabling two‑factor authentication on critical accounts.

Technical details of the AccountDumpling operation

The campaign primarily targets Facebook Business owners whose page and ad account access is directly tied to revenue. The attack starts with a phishing email supposedly from “Meta Support” threatening account deletion or blocking and offering to “file an appeal” via a link. A critical element of the scheme is that emails are sent from the address [email protected], i.e. via the Google AppSheet infrastructure, which significantly increases the chances of bypassing anti‑spam filters and the recipient’s level of trust.

From a tactics and techniques perspective, this chain fits well into the phishing via email technique (MITRE ATT&CK T1566.002):

• the attacker uses a trusted email service for delivery;
• creates plausible content impersonating Meta support;
• redirects the victim to a fake page to collect credentials.

On the recipient’s side, several trust factors kick in: a legitimate Google sender domain, no obvious technical spam indicators, and a familiar context (Facebook, account blocking, content policy). As a result, the user is highly likely to follow the link, land on the fake form, and enter their Facebook username and password.

Guardio researchers describe the infrastructure not as a static phishing kit but as a “live operation” with:

• real‑time operator panels for handling current victims;
• evasion mechanisms and constant updating of scenarios;
• a closed commercial loop: from account theft to resale and “recovery services.”

As the campaign evolved, the attackers broadened the range of “pretexts” for contact, pushing recipients into a state of Meta‑related panic. In addition to direct threats of account deletion, they use:

• notifications about alleged copyright violations;
• messages about page verification checks;
• fake “executive recruitment” offers via Facebook;
• account login alerts.

All these scenarios rely on the same psychological trick: create a sense of immediate threat to the business or page status and push the user to click the link without cross‑checking against real Meta notifications in the Facebook interface.

Monetization and the use of Telegram

The collected credentials are aggregated in Telegram channels and chats associated with at least three main phishing scenario variants. According to the researchers, these resources contain a total of about 30,000 records of victims, most of whom:

• are located in the US, Italy, Canada, the Philippines, India, Spain, Australia, the UK, Brazil and Mexico;
• have completely lost access to their accounts.

Based on this data, an underground “store” is formed for reselling compromised accounts. At the same time, within the same ecosystem there are services offering “help with recovering” Facebook accounts — meaning the same criminal community is both creating the problem and selling the “solution.”

OSINT indicators of Vietnamese origin

Attribution of the operation to Vietnamese attackers is based on a combination of open‑source data rather than just network indicators. In particular, in PDF files generated as part of one phishing scenario using a free Canva account, researchers discovered metadata showing the author name “PHẠM TÀI TÂN.” Further analysis revealed a website with the domain phamtaitan[.]vn, offering digital marketing services and ad strategy consulting.

The stated business profile of the site (“digital marketing, resources and strategies”) aligns well with an interest in Facebook business accounts and ad management. The mere fact that the name in the metadata matches the domain does not in itself mean that the specific site owner is directly involved in the attack, but taken together with the campaign’s scale and its focus on Facebook’s advertising infrastructure, it strengthens the hypothesis that the operation is “based” in Vietnam.

Indicators of compromise from the source material

The publicly available description of the operation mentions the following indicators that can be used for initial checks:

• sender address of phishing emails: [email protected] (legitimate by itself; it is critical only in combination with Meta/Facebook‑related content);
• domain linked to potential operators: phamtaitan[.]vn (to be used as a contextual OSINT artifact rather than a sole blocking criterion).

Since Google AppSheet is a legitimate service, its domain cannot serve as a simple binary indicator of an attack; filtering must be based on a combination of characteristics (email subject, keywords, link patterns, anomalies in user behavior).

Threat context: commercialization of stolen Facebook assets

According to the researchers, the AccountDumpling operation fits into a broader trend where Vietnamese attackers systematically hunt Facebook accounts, especially those linked to business and advertising. Stolen accounts are treated as assets that can be:

• used to launch ad campaigns with dubious or outright malicious content;
• resold on underground markets as “ready‑made business accounts” with history and reputation;
• leveraged to spread phishing and fraud among followers of compromised pages.

This kind of commercialization illustrates how social media accounts are turning into commodities with measurable value: ad history, the “health” of the business identity, and the absence of suspensions and bans all matter. Essentially, this is about trading digital identities as a resource.

In its official security help, Meta emphasizes that phishing and account takeover attempts are a common problem for Facebook users and recommends carefully checking any emails that claim to be from Facebook by comparing them with examples on the “How to recognize suspicious emails” page. The AccountDumpling operation shows how attackers adapt to these recommendations by using Google’s trusted infrastructure to evade basic checks.

Impact assessment for businesses and users

The highest risk is borne by:

• small and medium‑sized businesses for which a Facebook page and ad account are key customer acquisition channels;
• marketing and SMM agencies managing multiple business pages on behalf of clients;
• influencers and media outlets that depend on monetization via Facebook and related services.

By country, the largest numbers of victims have been recorded in:

• the US, Italy, Canada, the Philippines, India, Spain, Australia, the UK, Brazil and Mexico.

The consequences of a successful attack go far beyond “just lost access to an account”:

• Financial losses: unauthorized ad spend, redirecting traffic to attacker resources, loss of conversions.
• Reputational damage: fraudulent or toxic content posted on behalf of the brand, mass user complaints.
• Legal and compliance risks: malicious ads run through your account may violate local laws and ad platform policies.
• Compromise of related services: if the same password was reused elsewhere, CRM systems, email and other cloud services are at risk.

A key feature of this particular operation is the presence of a well‑tuned monetization chain. This means stolen accounts do not “sit idle”: they are very likely actively exploited shortly after compromise, shrinking the window for painless recovery.

Practical protection recommendations

1. Strict validation of emails “from Meta”

A minimal set of organizational and technical measures for companies and agencies:

• Introduce a mandatory rule: any notifications about blocking, appeals, copyright violations, or verification must be checked only via the Facebook Business interface, not through links in emails.
• Designate responsible staff authorized to respond to “Meta Support” messages; prohibit employees from independently following such links.
• Train staff to distinguish real Facebook emails from phishing ones using Meta’s official examples: guide to suspicious emails.

2. Email filtering and SIEM configuration

On the technical protection side, it is advisable to:

• Configure a separate rule on the email gateway to flag as suspicious any messages from the appsheet.com domain if the subject or body contains words like “Meta,” “Facebook,” “copyright,” “appeal,” “verify business,” etc.
• Implement URL rewriting and pre‑execution link analysis (sandboxing) for all emails mentioning Facebook Business or Meta Support.
• In your SIEM, set up reporting for incoming messages from [email protected] filtered by keywords to quickly identify potential activity related to this campaign.

At the same time, fully blocking all AppSheet traffic is not advisable: the service is legitimate and may be used within the organization. Context‑aware filtering is important, not blunt domain blocking.

3. Strengthening Facebook account security

Even if phishing succeeds, the impact can be reduced if the account is protected by additional mechanisms:

• Enable two‑factor authentication for all admins and editors of business pages and ad accounts.
• Separate roles and permissions in Facebook Business: minimize the number of users with full administrative rights.
• Regularly review the list of active devices and login sessions and terminate unknown ones, following Meta’s security guidance.

Detailed general recommendations on account security and phishing protection are available in Meta’s guides and can be used as a baseline checklist during audits — for example, the support sections on securing Facebook accounts and business resources.

4. Actions if compromise is suspected

If there are signs that a Facebook business account may have been taken over in a similar scheme:

1. Immediately initiate account recovery via Facebook’s official process (not through emails or third‑party links).
2. After recovery:
   • change the password and update it in all password managers;
   • review and remove unknown admins and partners in Business settings;
   • analyze the history of ad campaigns and transactions;
   • check whether any unknown apps or integrations have been connected.
3. Log the incident internally (ticket, security log) and use it as a case study for additional staff training.

5. Working with SaaS services like AppSheet and Canva

The use of Google AppSheet and Canva by attackers in this operation shows that legitimate SaaS platforms are becoming part of the attack chain. It is recommended to:

• Maintain an inventory of SaaS services used in the company (AppSheet, Canva, etc.) and formalize rules for their use.
• Control registrations of corporate accounts on third‑party services through a centralized account policy.
• Review official security recommendations for the platforms you use, such as the AppSheet support section, as well as Canva’s security materials.

This reduces the likelihood that attackers will be able to disguise their actions as “normal” activity of legitimate tools inside your organization.

The key takeaway from the AccountDumpling operation is that access to Facebook business accounts must be treated as a critical digital asset: review your policy for handling “Meta” emails, enable two‑factor authentication on all business profiles, and add rules to your email and SIEM infrastructure that highlight the “[email protected] + Facebook/Meta” combination so you can close the most obvious attack window in the coming days.