AccountDumpling: Vietnamese Phishing Relay Abuses Google AppSheet

A sophisticated Phishing operation linked to Vietnamese threat actors has been identified using Google AppSheet as a delivery mechanism to harvest credentials from tens of thousands of users. This campaign, according to The Hacker News, has successfully compromised approximately 30,000 Facebook accounts, which were subsequently processed through an automated backend for resale on the dark web.

Researchers at Guardio, who have codenamed the activity AccountDumpling, observed the attackers utilizing Google’s low-code development platform as a legitimate relay. By hosting phishing content or redirectors on appsheet.com, the actors effectively bypass standard email security filters that rely on domain reputation. Because Google AppSheet is a trusted enterprise tool, emails originating from its infrastructure often circumvent the security protocols within a SOC.

AccountDumpling Vietnamese Threat Actor Tactics

The primary TTP used in this campaign involves the abuse of trusted cloud infrastructure to mask malicious intent. The attackers create applications within Google AppSheet that serve as a middleman. When a target receives a phishing email, the link directs them to a legitimate Google-hosted URL. This initial stage minimizes the risk of the email being flagged as spam or malicious by automated scanners.

Once the user interacts with the AppSheet interface, they are redirected to a fraudulent Facebook login page. These pages are meticulously crafted to mirror official branding, often utilizing social engineering themes such as account suspension warnings or copyright violation notices. If the victim enters their credentials, the data is exfiltrated to a C2 server controlled by the AccountDumpling group.

This campaign aligns with MITRE ATT&CK technique T1566.002 (Phishing: Spearphishing Link), but with the added complexity of legitimate service abuse. The scale of 30,000 accounts indicates a high level of automation in both the collection and the verification of stolen credentials.

How to Detect Google AppSheet Phishing Relay Infrastructure

Detecting this specific threat requires defenders to look beyond the sender’s reputation. Security professionals should monitor for high volumes of traffic or unusual email delivery patterns originating from *appsheet.com. Specifically, analyzing the email headers for atypical application IDs within the AppSheet ecosystem can reveal rogue deployments.

Security teams should also utilize SIEM logging to identify redirects where a user lands on a Google domain but is immediately transitioned to an external, non-Google credential harvesting site. Organizations that do not use AppSheet for business operations should consider restricting access to the domain or implementing strict inspection of traffic directed toward it.

Impact and Monetization Strategy

The ultimate goal of the AccountDumpling campaign is financial gain. The harvested accounts are not merely stored; they are verified for value—checking for administrative access to business pages or linked credit cards—and then listed on illicit storefronts. These storefronts cater to other threat actors who use the compromised accounts for spreading misinformation, running fraudulent ad campaigns, or performing further Lateral Movement within the social network.

Recommendations for Protecting Facebook Accounts from Phishing Campaigns

To mitigate the risk of account takeover, organizations and individuals must adopt a multi-layered defense strategy. While no CVE is currently assigned to this abuse of service, the threat remains active.

1. Enforce MFA: Multi-factor authentication is the most effective barrier against the unauthorized use of stolen credentials.
2. Advanced Email Filtering: Deploy security solutions capable of deconstructing shortened URLs and inspecting the final destination of redirects.
3. User Training: Educate staff on the dangers of clicking links in urgent-sounding emails, even when the initial domain (like Google) appears trustworthy.
4. Credential Monitoring: Use EDR and identity monitoring tools to detect logins from atypical geographic locations associated with known Vietnamese IP ranges frequently used by this actor group.