Over 30,000 Facebook accounts compromised with emails sent from Google services

A sophisticated campaign of cybercrime has recently hit tens of thousands of social profiles, maliciously exploiting digital infrastructures deemed secure and reliable.

Recent investigations conducted by cybersecurity experts from MalwareBytes have indeed uncovered an extremely sophisticated phishing operation that has already compromised about 30,000 Facebook accounts.

Google services abused to steal over 30,000 Facebook accounts

The peculiarity of this attack, still fully active, lies in the medium used to spread the deception: the fraudulent email messages originate directly from legitimate Google services, thereby able to deceive both end users and the most advanced corporate spam filters.

The attackers identified and exploited a vulnerability in how Google AppSheet operates, a platform designed to allow users to create mobile and web applications without the need to write code.

Generally, this tool is used to automate workflows and send internal notifications. The cybercriminals exploited this very communication capability to forward their phishing emails.

By freely modifying the sender’s name, the scammers manage to send notices that appear to come from addresses such as noreply@appsheet.com, routing them through Google’s official sending servers.

This detail is crucial, as it allows communications to easily bypass strict standard security checks, including the SPF, DKIM and DMARC protocols.

The victim’s mailbox marks the message as safe and delivers it to the inbox. The email texts are specifically crafted to trigger alarm, signaling fake violations of Facebook’s policies, complaints for alleged copyright infringements, or profile verification problems that require immediate action.

The black market for commercial profiles

The traces analyzed by researchers linked this massive operation to a criminal group operating from Vietnam. The main victims are not simply private users, but business pages, commercial profiles, and advertising accounts. These types of profiles have a high intrinsic economic value.

Once access is obtained, the criminals monetize the control in several ways: they launch massive fraudulent advertising campaigns at the expense of affected companies, promote financial scams, or sell stolen access to other actors on the dark web.

In a move bordering on grotesque, the same criminal group sometimes offers paid services for account recovery, presenting themselves as rescuers of a disaster they themselves caused.

The entire technical infrastructure behind this operation is organized to maximize profits in a very short time. The real purpose of the fake support sites to which victims are directed is to collect a huge amount of sensitive data: login credentials, two-factor authentication codes, dates of birth, phone numbers, and even photographs of valid identity documents.

As soon as entered by the victim, these data are immediately processed and routed through bots and automated channels on the Telegram platform.

How to recognize threats and protect yourself

Defending against threats of this magnitude requires a level of vigilance above average. A fundamental principle to keep in mind to protect your devices and accounts is that Meta will never use Google’s infrastructure and servers to send security alerts, legal complaints, or verification requests related to Facebook or Instagram.

Every email threatening the disabling or blocking of a profile within 24 or 48 hours should be treated with extreme suspicion.

To protect your company’s data, it is essential to categorically avoid clicking on links present in alarm messages. The proper practice is to always access the social network directly by manually typing the address in the browser or opening the app on the smartphone.

Another unmistakable danger indicator occurs when a site asks for the password, the temporary codes, the mobile number and personal documents simultaneously: this is the exact set of information needed by criminals to definitively steal the digital identity.

Keeping two-factor authentication active and monitored, paying attention to any unusual logins, remains the best defense to safeguard your work and your online presence.