
























Beware this free Facebook blue badge offer.
SOPA Images/LightRocket via Getty Images
A newly published security report has warned Facebook users to beware of emails promising, amongst other things, a free blue verification badge. The attack campaign, which Guard.io security researcher Shaked Chen said has already compromised 30,000 accounts, is linked to a Vietnamese criminal operation and has been named AccountDumpling. “Over the past few weeks, we tracked waves of emails aimed at Facebook users, page admins, and operators,” Chen warned, adding that the attacks were part of a “Facebook account hijacking ecosystem” and involved the use of emails that are delivered by Google.
ForbesMeta Discloses 2 WhatsApp Vulnerabilities In New Security Advisory
Like users of other major technology brands, Meta product users are in the crosshairs of threat actors seeking to compromise accounts and access user data. With some 3 billion users, it is no surprise that Facebook is often front and center of phishing attack campaigns. Earlier this year, I reported on a surge in such campaigns aimed at compromising Facebook account passwords, and now another report has warned of a new and dangerous attack called AccountDumpling that has already racked up tens of thousands of victims.
“Over the past few weeks, we tracked waves of emails aimed at Facebook users, page admins, and operators,” the Guard.io report confirmed. Although the researchers found that the attacks used different lures and post-click paths, the destination was always the same: “people controlling accounts with real financial value.” Indeed, the attackers appear to have turned Google AppSheet into what you might call a phishing relay as part of an exploit loop which ultimately “sells the stolen accounts back through a storefront run by the same hands.”
genuine resources for such account-compromising campaigns. PayPal users were targeted via a legitimate PayPal email at the end of 2025. This time it is Google that is being abused by the scammers to get the exploit ball rolling, something that we have seen before with Google features being used to distribute malicious emails originating from trusted Google infrastructure.
Forbes2.8 Billion Credentials Stolen As Password Attacks SurgeBy Davey WinderIn the case of the AccountDumpling Facebook campaign, the attackers are using the no-code Google AppSheet platform designed to automate workflows and notifications. The threat actors were found to be abusing the AppSheet notification mechanism to deliver phishing emails at scale. “There was no need for spoofing, no reliance on compromised Google accounts,” Chen confirmed, “just a service doing exactly what it was built to do.” As Chen said, a fully authenticated email proves only that the platform sent it, not that the message itself is trustworthy. And, oh boy, these ones certainly are not.
Although a number of different email messages were used, mostly of the panic-inducing variety, such as warnings that the recipient’s Facebook account would be disabled, or a copyright claim that needed to be addressed, the one that stood out for me was the blue badge offer. No panic required, just temptation. “Get your free blue Facebook badge,” the emails promised. No need to pay for a Meta Verified subscription, just jump through a few fake CAPTCHA and contact detail hoops, before entering a password and a few rounds of 2FA codes. The evasion stack used by the attackers for this particular lure was “the most layered we saw at the email stage.”Sender display names padded with spaces using Unicode invisible characters, body text with words broken halfway through to confuse contextual text detection and even Cyrillic homoglyphs in the footer Meta branding that looked identical to Latin characters.
I have reached out to Meta for a statement regarding the new attack campaign report and advice for Facebook users. In the meantime, however, there’s a useful support page at the Meta Help Center on how to avoid scams and phishing attempts that I recommend you refer to.
ForbesGmail Accounts Under Persistent Hacking Attacks—‘Always Be Wary’By Davey Winder此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。