Vietnamese hackers hijacked Google tools to steal 30,000 Facebook accounts around the world. To lure victims, hackers use the excuse of copyright violations or an account that will soon be suspended.
Security researchers from Guardio Labs discovered a vast malicious operationcalled “AccountDumpling”. The cyberattack begins with the receipt of an emergency email, indicating that “your Facebook account has been reported for a policy violation” and that “If there is no response within 24 hours, it will be permanently deactivated”.
This email is displayed in your main mailbox, bypassing your email spam filters. As the researchers point out, the email comes from Google servers. In fact, hackers exploited Google AppSheetan official Google tool allowing you to create applications without coding, to send emails from a group server. The tool has a notification system that sends emails from the “(email protected)” address, directly through Google servers. By using this legitimate service, hackers manage to send emails that pass email security checks without the slightest problem. In the eyes of spam filters, “ these messages are treated as trusted communications”explain the researchers from MalwareBytes, who relay the discovery of Guardio Labs.
Also read: Russian cyberattack compromised hundreds of Signal accounts
Fake Facebook pages and CEO trapped on Google Drive
In most cases, the emails contain alerts for copyright infringement, account suspension, or imminent deactivation. If the victim makes the mistake of clicking on the link slipped into the email, they come across a fraudulent web page which copies Facebook Help Centerhosted on Netlify, a legitimate web hosting platform. Unsurprisingly, the fake page will soon ask for Facebook account credentials, including the password. At the same time, the hackers also ask for the date of birth, telephone number and identity card photos. With all this data, it is possible to kick the victim out of their own account.
Researchers have also pinpointed email bombs highlighting the blue verification badge, rewards for advertisers, or even the opportunity to have your account verified. In these emails, dummy pages are cut to collect up to three two-factor authentication codes. Finally, some emails containn PDF hosted on Google Drive. Carefully laid out, the PDF mimics an official Meta notification, complete with the company’s official logo. Inside the PDF is a button or clickable link to a real-time control panel, responsible for grabbing your two-factor authentication code and password.
An oversight reveals the identity of the cybercriminal
Guardio Labs was able to trace the sponsor of the cyberattack. This one has in fact forgot to clear metadata of the PDF file used in the scam. The metadata, analyzed by the researchers, shows that the document was created on Canva by a hacker named Phạm Tài Tân. Researchers then tracked down the cybercriminal on Facebook and its official website. Note that the Facebook account thief offers services “Facebook account recovery help”.
The infrastructure of the operation is based on des bots Telegram which recover stolen data in real time, sort it and transmit it to hackers. By cross-referencing the data from four identified bots, Guardio counted approximately 30,000 victims in more than 50 countriesincluding 68.6% in the United States.
Also read: New Facebook scandal – thousands of private photos have been compromised
Fraudulent advertisements and identity theft
The researchers revealed a real criminal infrastructure, made up of a creator of phishing kits, a hacker responsible for launching the attack, and a platform designed to put the stolen accounts up for sale. These accounts can be resold on other black markets, or used to spread fraudulent advertisements. Identity theft attempts can also be orchestrated using your Facebook account. Several victims, contacted directly by Guardio Labs, reported fraudulent transactions on their bank cards. This is proof that a simple theft of Facebook accounts can have, one thing leading to another, disastrous consequences.
“What we’ve mapped looks less like a campaign and more like a supply chain: access is harvested, accounts are hacked, and the harvest itself is resold. Each step feeds into the next”explains the Guardio Labs report.
If you receive an urgent email about your Facebook account, even if it appears to come from a Google address, don’t click anything. Remember that Facebook never contacts you via a Google address. Go directly to the official Facebook website, or to the application, and check your notifications. Finally, if a form simultaneously asks for your password, several authentication codes and an identity document, it is likely a scam. We recommend that you activate Facebook connection alerts, and replace SMS authentication with an application dedicated to double authentication, such as Google Authenticator, which relies on sending a code.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
Guardio Labs
