This Dangerous New Phishing Scam Spoofs a Top Google Program to Try and Hack Facebook Accounts

Cybercriminals are getting increasingly sophisticated in their phishing attacks, and the latest one is particularly disturbing. Researchers at KnowBe4 have discovered a new campaign that uses a legitimate Google service to bypass email protection mechanisms and deliver phishing emails directly to people's inboxes.

The attackers are using Google AppSheet, a no-code application development platform for mobile and web apps. Through its workflow automation features, they were able to send emails using the "noreply@appsheet.com" address. This spoofed email address is convincing enough that even traditional email gateways like Microsoft and Secure Email Gateways (SEGs) failed to detect it.

The phishing emails are designed to mimic Facebook, complete with fake logos and branding. However, upon closer inspection, it becomes clear that something is off. The emails claim that the victim has infringed on someone's intellectual property and that their account will be deleted within 24 hours unless they submit an appeal through a conveniently placed "Submit an Appeal" button.

Clicking on the button leads the victim to a landing page impersonating Facebook. This page is hosted on Vercel, a reputable platform known for hosting modern web applications. The attackers have done their homework to make this look as legitimate as possible, with a convincing design and layout.

The attack has several contingencies to ensure its success. When the victim attempts to log in, they are met with a "wrong password" error message. However, this is not because the victim typed in the wrong credentials – it's actually to confirm the submission. Additionally, the 2FA codes provided by the attackers are immediately submitted to Facebook, and in return, they receive a session token that grants them persistence even after a password change.

The KnowBe4 researchers have warned that these attacks are highly sophisticated and can bypass traditional detection systems. They urge users to be cautious when receiving unsolicited emails and to never submit their login credentials or 2FA codes through suspicious links.

Stay safe online by being vigilant about phishing attacks. If you're a business looking to protect your employees from these types of threats, consider using a cybersecurity platform like Keeper Personal, Family, or Business. These solutions offer advanced features like password managers, digital vaults, and breach alerts to help keep your data secure.

Subscribe to our newsletter for the latest news on cybersecurity and technology.