Cybercriminals Turn Google’s Own Tool Into a Phishing Weapon
Security researchers at Guardio have uncovered a sophisticated phishing campaign — dubbed AccountDumpling — that leverages Google’s low-code platform Google AppSheet to trick victims into handing over their Facebook credentials. The operation, believed to originate from Vietnam, has already compromised roughly 30,000 Facebook accounts, which are then sold on an illicit storefront run by the same threat actors.
Unlike classic phishing attacks that rely on fake login pages hosted on shady domains, this campaign hijacks the trust associated with Google services. By using AppSheet as a “phishing relay,” attackers send emails that appear legitimate and direct users to a credential-stealing page hosted within the Google ecosystem. This makes the scheme harder to detect for both users and email filters.
How the AppSheet Phishing Relay Works
Google AppSheet is a no-code platform widely used by businesses to build custom applications. Attackers abuse its ability to create web forms and redirect users to external URLs. The attack flow proceeds as follows:
- Phishing email sent — The victim receives a message appearing to come from Facebook or a related service, often with a sense of urgency (e.g., “suspicious login attempt” or “account restricted”).
- Link points to AppSheet — The email contains a link that opens a Google AppSheet-generated form or page. Because the domain is appsheet.com or a subdomain, it passes many email security checks.
- Credential harvesting — The AppSheet page either directly asks for Facebook credentials or redirects to a fake Facebook login page hosted elsewhere. The stolen data is then exfiltrated to the attackers’ server.
- Account takeover and resale — Once the credentials are verified, the threat actors take control of the Facebook account and add it to their inventory on a dedicated storefront, selling each account for a few dollars.
Step-by-Step Infection Chain
Guardio’s analysis reveals that the attackers exploited AppSheet’s “form” and “automation” features to create a seamless relay. The platform allowed them to:
- Generate anonymous forms that log submissions.
- Set up server-side redirects without needing their own infrastructure.
- Use Google’s own certificates to avoid SSL warnings.
This technique, sometimes called living off the land, makes the phishing campaign significantly more resilient to takedown efforts. When one AppSheet app is removed, the attackers can quickly spin up another.
Scale of the AccountDumpling Campaign
As of the report, approximately 30,000 Facebook accounts have been compromised. The stolen accounts are sold through a private Telegram channel and a web-based marketplace that accepts cryptocurrency. Prices range from $5 to $15 per account, depending on the account’s age, friend count, and activity level.
The campaign appears to target users globally, with a slight concentration in Southeast Asia and the United States. Because the phishing emails are crafted in multiple languages, the operation has a broad reach. Guardio researchers note that the attackers have been active for at least six months, indicating a well-organized, persistent threat.
Why This Attack Is So Effective
Several factors contribute to the success of the AppSheet phishing relay:
- Trust in Google domains — Many users and security tools automatically whitelist Google-owned URLs, bypassing typical email filters.
- Low cost and easy setup — AppSheet’s free tier allows attackers to create malicious apps at no charge, and the platform requires minimal technical skill.
- Abuse of legitimate functionality — AppSheet is designed for building useful apps, not for hosting phishing pages. Its moderation and abuse detection are not optimized for this threat.
- Rapid account turnover — Once a Facebook account is stolen, the attackers quickly change the password and enable two-factor authentication (2FA) to lock out the genuine owner.
How to Protect Your Facebook Account
Both individuals and organizations can take steps to guard against this type of phishing:
For Individuals
- Always check the URL before entering credentials — even if it starts with
https://and looks official. Hover over links to preview the destination. - Enable two-factor authentication (2FA) using an authenticator app, not SMS. This adds a layer of protection even if credentials are stolen.
- Be wary of urgent messages claiming your account will be disabled. Instead of clicking the link, log in directly by typing
facebook.cominto your browser. - Use a password manager that warns you about duplicate or suspicious login pages.
For Organizations
- Train employees to recognize phishing emails that abuse trusted platforms like Google, Microsoft, or Apple.
- Implement email security solutions that perform link sandboxing and scan for malicious redirects.
- Monitor for unusual outbound traffic from corporate devices that could indicate credential theft.
Google’s Role and Mitigation
Google has been notified of the AccountDumpling campaign. The company’s security team typically responds by removing malicious AppSheet apps and updating their automated detection systems. However, because AppSheet is a platform for legitimate businesses, Google must balance abuse prevention with usability. Users who encounter a suspicious AppSheet form can report it through official channels.
In the meantime, users are advised to stay vigilant and adopt the protective measures listed above. No platform is immune to abuse, and attackers will continue to find creative ways to exploit legitimate services.
Final Thoughts
The AccountDumpling campaign highlights an evolving trend in cybercrime: leveraging trusted platforms as stepping stones for attacks. By abusing Google AppSheet, the Vietnamese-linked group was able to bypass traditional defenses and compromise tens of thousands of Facebook accounts. As low-code and no-code platforms proliferate, security teams must adapt their threat models to account for trust abuse attacks. Meanwhile, users should always treat unexpected login prompts with skepticism — even when they come from a familiar domain.