{“lastseen”:”2026-05-04T12:05:07″,”description”:”Researchers have uncovered a long-running phishing operation that abuses trusted Google services to hijack tens of thousands of Facebook accounts.\\n\\nThe compromised Facebook accounts are mainly business and advertiser profiles, which criminals can monetize after gaining access and control.\\n\\nThe attackers found a way to send phishing emails that come \u201cthrough Google,\u201d making them look legitimate at first glance. The emails are sent via Google\u2019s AppSheet platform, so they pass the usual technical checks (SPF, DKIM, DMARC), and many email filters treat them as trusted.\\n\\nGoogle AppSheet is a development platform that lets people build mobile and web apps without writing code. It can automate workflows and notifications, typically used to send app-driven alerts and internal updates.\\n\\nAnd that’s where the phishers abused it. The sender name can be customized, and the sending address may look something like `noreply@appsheet.com`, delivered through `appsheet.bounces.google.com`. To the average user, it looks like a perfectly normal notification, in these cases often about Facebook policy violations, copyright complaints, or verification issues.\\n\\nResearchers linked these emails to a Vietnamese\u2011linked operation that has already compromised around 30,000 Facebook accounts and is still active. \\n\\nThe stolen accounts are mostly pages and business profiles that have financial value: advertising accounts, brand pages, and companies that rely on Facebook for marketing. Once inside, attackers run scams, place fraudulent ads, or sell access to others. In some cases, the same group offers \u201caccount recovery\u201d services to fix the problems they created.\\n\\n* * *\\n\\n\\n\\n### Scam or legit? Scam Guard knows.\\n\\nTRY IT NOW\\n\\n* * *\\n\\nNo matter the lure, the goal is the same: Facebook credentials, 2FA codes, and recovery data. The phishing sites are just the entry point. Behind them is a fairly industrial infrastructure built around Telegram bots and channels to collect and process stolen data.\\n\\n## How to stay safe\\n\\nThis campaign is not \u201cjust another phishing mail.\u201d It is one more example of how attackers exploit the trust we place in major platforms.\\n\\nFacebook does not send complaints, verification requests, security checks, job offers, and other urgent messages through Google infrastructure.\\n\\n * Any email that claims your Facebook or Instagram account is about to be disabled, locked, or punished deserves extra scrutiny, especially if it demands action within 24 hours.\\n * If you get a worrying message about your account, go directly to facebook.com or the Facebook app. Don’t click links in the message.\\n * If a form asks for password, multiple 2FA codes, date of birthm phone number, and ID photos in one go, then stop. That’s the \u201cfull recovery pack\u201d these attackers need to take over your account.\\n * Set up 2FA for Facebook and set up login alerts for new devices and locations.\\n * Be cautious with unusual messages from Facebook accounts. The account itself may be compromised.\\n\\n\\n\\nPro tip: Malwarebytes Scam Guard can help you spot phishing emails and messages on any platform. You can even use it in Claude and ChatGPT.\\n\\n* * *\\n\\n\\n\\n### **Someone ‘s watching your accounts. **Make sure it’s us.\\n\\nPROTECT YOUR IDENTITY\\n\\n* * *”,”published”:”2026-05-04T11:41:04″,”modified”:”2026-05-04T11:41:04″,”type”:”malwarebytes”,”title”:”Thousands of Facebook accounts stolen by phishing emails sent through Google”,”source”:””,”references”:””,”id”:”MALWAREBYTES:E3B93C62BFB3468848F982ED4E5C09EC”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/05\/thousands-of-facebook-accounts-stolen-by-phishing-emails-sent-through-google”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-04T12:05:07″,”description”:”Researchers have uncovered a long-running phishing operation that abuses trusted Google services to hijack tens of thousands of Facebook accounts.\\n\\nThe compromised Facebook accounts are mainly…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-51202","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n