The scheme uses Google AppSheet to host fake login forms, Netlify for a secondary phishing page, and Telegram to exfiltrate stolen Facebook credentials in real time.
How the Attack Works
Attackers have launched a sophisticated phishing campaign that leverages trusted platforms to steal Facebook account credentials. The campaign begins with phishing emails that use Google AppSheet to host malicious login forms. Because AppSheet is a legitimate Google service, the URLs appear trustworthy to both users and email security filters. If a victim enters their credentials on the AppSheet form, they are then redirected to a fake Facebook login page hosted on Netlify, another widely trusted web development platform.
The multi stage attack uses Telegram as its command and control channel. Stolen credentials are exfiltrated in real time to a private Telegram bot or channel, allowing the attackers to act on the data immediately. This combination of abusing three well known services makes the campaign difficult to detect and block using traditional security tools.
Impact and Scope
This phishing campaign poses a significant threat to Facebook users worldwide, as attackers can use compromised accounts to spread malware, post spam, or launch further social engineering attacks. The abuse of Google AppSheet, Netlify, and Telegram demonstrates a growing trend of attackers living off trusted platforms to bypass security measures. Security researchers have not linked this campaign to a specific vulnerability or CVE identifier, as the attack relies on social engineering and platform misuse rather than technical exploits. Organizations and individuals should remain vigilant against unexpected login prompts and verify URL authenticity before entering credentials.
Source: Cyber Security News
