Security researchers identified a credential harvesting campaign that uses Google AppSheet for fake login pages, Netlify for redirection, and Telegram for data exfiltration.
Attack Infrastructure and Method
A sophisticated phishing campaign has been uncovered that exploits legitimate cloud services to steal Facebook credentials. Attackers are abusing Google AppSheet to create fake landing pages and Netlify to host malicious redirects, making the phishing sites appear trustworthy. The Telegram API is then used to exfiltrate stolen credentials in real time, creating an automated pipeline for credential harvesting.
The attackers craft realistic notifications that mimic official Facebook security alerts, often claiming suspicious login attempts. Victims who click the links are routed through Netlify domains to Google AppSheet pages that closely resemble legitimate Facebook interfaces. Once victims enter their credentials, the data is sent directly to Telegram channels controlled by the attackers.
Impact and Scope
This campaign highlights a growing technique where attackers weaponize trusted platforms to bypass traditional security filters. The use of Google AppSheet and Netlify helps the phishing URLs evade detection by security tools that often whitelist these domains. Thousands of potential victims have been targeted, with the campaign primarily aimed at Facebook business account holders and advertisers.
Organizations relying on Facebook for marketing or customer engagement face elevated risk. Users should enable two factor authentication on their accounts, scrutinize unexpected login alerts, and avoid clicking links in unsolicited messages. No CVE identifiers have been assigned because this campaign does not exploit software vulnerabilities but rather abuses legitimate services.
Source: Cyber Security News
