Overview
- Guardio Labs detailed a phishing operation called AccountDumpling that sent emails from noreply@appsheet.com and other Google AppSheet domains, allowing the messages to pass SPF, DKIM and DMARC checks while targeting Facebook users and business page admins.
- The campaign ran four parallel paths that funneled victims to credential traps, including Netlify-hosted Facebook Help Center clones, fake blue-badge reward pages on Vercel, Google Drive PDFs that guided account “verification,” and job-offer schemes impersonating major brands.
- Beyond passwords, the kits harvested two-factor codes, government ID photos, contact and business details, and even browser screenshots captured via html2canvas, enabling swift account takeovers and lockouts.
- Researchers observed layered evasion in the emails, such as invisible Unicode spacing, words split to confuse scanners, and Cyrillic look‑alike letters in Meta branding, which helped the lures dodge automated filters.
- Guardio traced stolen data to attacker-run Telegram bots and channels and noted resale through illicit storefronts, with forensic clues tying the operation to Vietnam, including Canva PDF metadata naming “PHẠM TÀI TÂN” and a victim set concentrated in the U.S. but spanning multiple countries.