How to Defend Against Google AppSheet Phishing Attacks Targeting Facebook Accounts

Introduction

In a recent cyber campaign, threat actors leveraged Google AppSheet—a legitimate no-code app builder—as a phishing relay to steal over 30,000 Facebook accounts. Dubbed AccountDumpling by security firm Guardio, this Vietnamese-linked operation tricked users into handing over their credentials, which were then resold on an illicit storefront. Understanding how such attacks work—and how to avoid them—is essential for anyone with a Facebook account. This guide provides clear, actionable steps to recognize and thwart similar phishing attempts.

What You Need

• A Facebook account (active or dormant)
• Basic familiarity with email and web browsers
• A device with internet access
• Willingness to review account security settings
• Access to multi-factor authentication (MFA) tools

Step-by-Step Guide to Protect Yourself

Step 1: Understand the Attack Pattern

The attack uses Google AppSheet to host phishing pages that mimic Facebook login screens. Victims receive an email that appears to be from a trusted source (e.g., Facebook security, a friend, or a service notification) but actually contains a link to the AppSheet-hosted page. Once you enter your credentials, they are captured and sold.

Key red flags:

• The email domain looks unusual (e.g., appsheets.googleusercontent.com)
• The message creates urgency: “Your account will be suspended” or “Security alert detected”
• The link preview shows a long, generic URL ending in appsheet or similar

Step 2: Inspect the Sender and Subject Line

Before clicking anything, check the sender’s full email address. Attackers often spoof a display name while using a non-official domain. In the AccountDumpling campaign, messages came from addresses that included @appsheet.com or @google.com but with slight misspellings.

Do this:

• Hover over the sender name to reveal the true email address
• Look for generic salutations like “Dear User” instead of your name
• Check for poor grammar or odd phrasing (e.g., “We have notice unusual activity”)

Step 3: Verify the Link Destination

Never click a link directly. Instead, hover your mouse over it (or long-press on mobile) to see the full URL. Legitimate Facebook links start with https://www.facebook.com/ or https://facebook.com/. Phishing URLs in this attack often contain:

• appsheet in the hostname
• Additional subdomains like secure.facebook.appsheet.com
• Random alphanumeric strings

If the URL seems off, do not click. Instead, type facebook.com directly into your browser.

Step 4: Enable Multi-Factor Authentication (MFA)

MFA adds a second layer of security. Even if someone steals your password, they cannot log in without the second factor (e.g., a code from an authenticator app or SMS).

1. Go to Settings & Privacy > Security and Login on Facebook
2. Under “Two-Factor Authentication,” click Edit and select your preferred method
3. Follow the prompts to link an authenticator app (like Google Authenticator or Authy) or register a phone number

Important: Do not use SMS as your only method if possible—SIM swapping attacks are common. An authenticator app is far more secure.

Step 5: Review and Revoke Unauthorized App Access

Attackers sometimes use the stolen credentials to grant access to malicious third-party apps. Check what apps are connected to your Facebook account:

1. Go to Settings & Privacy > Settings > Apps and Websites
2. Review the list. Remove any app you don’t recognize, especially ones with suspicious names or no icon
3. Click Remove and confirm

Also check Business Integrations for any unknown connections.

Step 6: Change Your Password Immediately if You Suspect a Breach

If you’ve clicked a phishing link or entered your credentials on a suspicious page, act fast:

1. Log into Facebook via a trusted device or browser
2. Go to Settings > Security and Login > Change password
3. Create a strong, unique password (at least 12 characters, mix of uppercase, lowercase, numbers, and symbols)
4. If you use the same password elsewhere, change it there too—but avoid reusing passwords

After changing, also log out of all active sessions from the Security page to force attackers out.

Step 7: Report the Phishing Attempt

Help others avoid the same trap. Report the email and the phishing page:

• Forward the email to Facebook at phishing@facebook.com or use the built-in report function
• If you clicked the link, submit the URL to Google Safe Browsing: https://safebrowsing.google.com/safebrowsing/report_phish/
• Alert your IT department if you received the email at a work address

Step 8: Monitor Your Account for Unusual Activity

Even after taking steps, keep an eye out for signs of compromise:

• Unrecognized posts, messages, or friend requests
• Profile picture or name changes
• Login alerts from unknown devices (you can view them in Security and Login under “Where you’re logged in”)

If you see anything suspicious, repeat the password change and MFA setup immediately.

Tips for Staying Safe

1. Always verify before clicking. Legitimate companies will never ask for your password via email. When in doubt, contact the company directly using official channels.

2. Use a password manager. It generates and stores strong, unique passwords for each site, reducing the impact of a single stolen credential.

3. Keep software updated. Browser and operating system updates often include security patches against phishing and malware.

4. Educate family and colleagues. The AccountDumpling campaign targeted many users. Sharing this guide can prevent a widespread compromise.

5. Enable login alerts. Facebook can notify you via email or app notification each time someone logs in from a new device. Find this under Security and Login > Get alerts about unrecognized logins.

By following these steps, you can significantly reduce your risk of falling victim to sophisticated phishing attacks like those using Google AppSheet. Stay vigilant, stay safe, and always think before you click.