Facebook blue badge scam hijacked 30K accounts: How to protect yours?

A massive phishing operation has compromised the security of more than 30,000 Facebook accounts worldwide.

The campaign abused the legitimate Google infrastructure to breach privacy.

The campaign, named “AccountDumpling” by Guardio Labs, is associated with Vietnamese threat actors who have turned Google’s no-code AppSheet platform into a “phishing relay” to send completely authenticated malicious emails.

It is found that a Vietnamese individual named Pham Tai Tan is related to the operation after metadata in a Canva-generated PDF revealed his identity.

How the attack works

In contrast to traditional phishing that has spoofed domains, these emails are sent from the legit address “[email protected].” Since it is a Google-owned domain, the email appeared completely legitimate.

As the email passes SPF, DKIM, and DMARC authentication checks, it bypasses usual email security gateways and spam filters.

If the victim opens the malicious email, he/she will be redirected to fake Facebook Help Centre pages hosted on Netlify or Vercel.

These webpages collect login credentials, 2FA codes, dates of birth, images of government IDs, and even screenshots of the browser.

Fake “free blue badge” offer

Among others, the hackers have included an offer of a “free Facebook blue badge” with no need for a Meta Verified subscription. The victims are led to go through fake CAPTCHA tests and provide their passwords and 2FA codes.

Other offers include threats of disabling the victim’s account permanently or responding to a copyright claim.

How to save your Facebook account?

Most of the accounts that are at risk include the USA, Italy, Canada, the Philippines, India, Spain, Australia, the UK, Brazil, and Mexico.

Users are recommended to turn on two-factor authentication, not click on links sent by email, and never provide credentials when following an email link.