RESEARCHERS have uncovered a long-running phishing operation that abuses trusted Google services to hijack tens of thousands of Facebook accounts. The compromised accounts are mainly business and advertiser profiles, which criminals can monetise after gaining access and control. The attackers found a way to send phishing emails that come “through Google,” making them look legitimate at first glance, with messages sent via Google’s AppSheet platform so they pass the usual technical checks.
The sender name can be customised and the sending address may resemble noreply@appsheet[.]com, delivered through appsheet.bounces.google[.]com. Researchers linked these emails to a Vietnamese‑linked operation that has already compromised around 30,000 Facebook accounts and is still active. The phishing sites target Facebook credentials, 2FA codes and recovery data, and the attackers use an industrial infrastructure built around Telegram bots and channels to collect and process stolen data.