Researchers at Guardo Labs are tracking a major phishing campaign that abused Google AppSheet as a relay to send phishing emails. The researchers identified more than 30,000 Facebook accounts that were compromised by this campaign. Since the emails are sent from Google’s legitimate infrastructure, they’re much more likely to land in users' inboxes.
“Email phishing used to rely on spoofing, shady SMTP infrastructure, and just enough broken authentication to slip through the cracks,” the researchers write. “This case starts from the opposite premise: the email is real, the authentication is clean, and the delivery comes through Google’s own AppSheet, the no-code app builder's notification system.”
In the campaign observed by Guardio, the attackers are using AppSheet notifications to send phony alerts informing users that their Facebook Business accounts will be permanently disabled for copyright violations unless they submit an appeal. The link in the email leads to a convincingly spoofed Facebook login page designed to harvest credentials and personal information.
Notably, the researchers tied the campaign to several other activity clusters using fake job postings, phony blue-check verification offers, and phony login alerts. This led to the discovery of an organized network of scam infrastructure using “Netlify-hosted Facebook clones, Vercel-hosted reward traps, Google Drive-hosted PDFs, and recruiter-style social engineering, all riding the same Google-authenticated relay and feeding the same Telegram bot infrastructure.”
“What initially appeared to be a narrow phishing attempt quickly expanded into something much broader,” the researchers write. “Following this thread did not lead to a single phishing kit or an isolated actor experimenting with a no-code tool, but to a multi-actor, Vietnamese-linked Facebook account hijacking ecosystem spanning Netlify, Vercel, Google Drive, Telegram, and a set of monetization endpoints that look less like a campaign and more like a business.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Guardio has the story: "AccountDumpling" - Hunting Down the Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts
