Over 30,000 Facebook Accounts Targeted by New Blue Tick Phishing Scam

Thousands of Facebook users have fallen victim to a new phishing campaign that promises a free blue tick verification badge. Security researchers report that over 30,000 accounts may already be compromised. The campaign, known as Account Dumpling, targets accounts with financial or business value, including those run by creators, companies, and advertisers.

Key Highlights

• Over 30,000 Facebook accounts compromised by Account Dumpling phishing campaign.
• Attackers use Google AppSheet to send convincing phishing emails.
• Campaign targets accounts with financial or business value.
• Phishing emails offer free blue tick verification to lure victims.

Phishing Campaign Details

Researchers at Guard.io discovered the campaign, which uses convincing tactics to deceive users. Attackers send emails through legitimate platforms, making the messages appear authentic. In this case, the attackers used Google AppSheet, a platform intended for automation, to send phishing emails. These emails bypass many security filters because they come from a trusted source.

The phishing emails often warn recipients about potential account deactivation due to policy violations or copyright issues. In other cases, the emails offer a free verification badge, claiming no Meta subscription is needed. Once users click the provided link, they are led through fake verification steps, including CAPTCHA tests and login prompts. This process collects their login credentials and two-factor authentication codes.

Attackers' Techniques and Impact

The attackers use advanced methods to avoid detection. They insert invisible characters into email names and modify text to evade security algorithms while keeping the content readable for humans. Security experts believe the group behind the campaign operates from Vietnam and focuses on hijacking social media accounts to resell them.

The campaign's scale is significant, with more than 30,000 accounts affected, according to researcher Shaked Chen. The use of trusted platforms and sophisticated techniques makes it difficult for users to recognize the threat immediately.

Expert Advice for Users

Experts urge users to remain cautious and avoid clicking on suspicious links. They recommend relying only on official channels for account updates and verification processes. Users should be aware that Meta does not offer free verification badges through unofficial emails or third-party platforms.

Staying vigilant and following best security practices can help prevent account compromise. Users should also enable strong authentication methods and regularly review their account activity for any signs of unauthorized access.