Facebook is connecting not only old friends, but also new criminals.
Researchers uncovered more than 70 Facebook groups openly selling black-market cyberfraud services, some of which they say had been running for up to eight years.
The now-removed groups had more than 385,000 members in total and offered a variety of illegal services, from credit card information and identity theft to website hacking and email phishing, according to cybersecurity researchers at Talos, the threat intelligence division for the technology company Cisco.
By searching for a few well-known fraud terms, the researchers exposed a sizable online black market hiding in plain sight on the world’s most popular social media site.
“Selling CVV fresh $5” read one post for stolen credit card numbers. “100k mail list fresh” touted another from the “Professional Spammer’s and Hacker’s [sic]” page. Both posts included purported screenshots of their wares.
Crime amped by algorithm
Facebook's recommendation system appeared to amplify the issue. After the researchers joined video game cheat groups, they found that Facebook began suggesting they join groups advertising more serious cybercriminal activity.
“Facebook's algorithm that's designed to connect users with similar hobbies is also picking up on keywords between these different types of criminal groups,” said Craig Williams, a director for Talos.
“Unfortunately, instead of connecting people with positive hobbies, it's connecting people with criminal means,” and promoting hacking tools to the general public, he said.
A Facebook spokesperson confirmed the company took down the pages, most of which they said were created in 2018, after being notified by the Talos researchers. The social media network also blocked the ability of the administrators behind the removed pages to create new groups, removed any pages, groups, and accounts associated with those administrators, and are continuing to investigate.
But NBC News was able to find Facebook hosting other groups still active. Some of them had names that were the same as those flagged by the researchers, or only slight variations thereof. After being notified by NBC News, Facebook investigated and took these groups down as well.
The groups’ participants weren’t shy about their interests.
“Hi, Im looking any botnet, for steal bank info,” read a post in a group called “BotNet,” referring to networks of compromised digital devices that can be remotely controlled to execute malicious actions.
Other active pages advertised false identification documents, including driver’s licenses, passports, Social Security numbers and green cards.
These groups are just a few examples of the vast constellation of online marketplaces that extend beyond Facebook in which fraudsters can sell their tools.
Recent attention has focused on illicit sales in the so-called “dark web,” an anonymous system of sites accessible only via specialized web browsers.
Law enforcement action has shut down some dark-web sites, and encouraged other operators to consolidate or sell their forums, according to Tom Kellermann, chief cybersecurity officer at Carbon Black, a digital security company.
But any online site can be exploited to become a forum for cyberfraud — even those more known for cute grandkid photos and viral puppy videos.
“Users of the platform should not be surprised that criminal groups would come to these platforms to do their business. They're wide-open spaces,” said Clint Watts, a former FBI counterterrorism agent and an NBC News contributor. “You have anonymity in terms of who the users are and you can reach a wide audience. It's a dream come true if you want to do criminal activity.”
Researchers also found that if a user’s friend joined one of these groups, Facebook could end up recommending the illicit group to their friends or family members.
It’s unknown how many of the postings resulted in successful transactions or whether some of the services were themselves fraudulent. Some of the posts the researchers found showed replies back and forth between accounts purporting to be sellers and potential buyers.
But at least one service appeared to be linked to actual criminal activity detected off Facebook, according to the Talos report.
One spammer the researchers found promised to deliver fake Apple invoices to Hotmail and Yahoo inboxes. The screenshot the spammer used in their post matched up with phishing emails Talos identified elsewhere. The links in the phony invoices directed to an internet protocol address known to have hosted other suspicious domains that appeared to impersonate account verification sites for Apple and other companies, the Talos report said.
Facebook cracks down
“These Groups violated our policies against spam and financial fraud and we removed them,” a Facebook spokesperson said in an emailed statement. “We know we need to be more vigilant and we're investing heavily to fight this type of activity.”
The company recommends users who spot abusive content or spam to click a “Give feedback” link near the post and select “Report to admin” to notify the page admin moderator or “Report post” to flag it to Facebook.
Facebook removed 1.3 billion pieces of posted spam from July to September 2018, according to its most recent community standards enforcement report. That year it said it doubled the number of employees working on safety and security to 30,000.
Last April, Facebook removed almost 120 discussion groups for cyberfraud, with more than 300,000 members identified by independent security reporter Brian Krebs after two hours of work. Those groups also used well-known phrases for online fraud terms in their names.
But the issue is worse than whack-a-mole. Facebook can take down individual accounts and pages, only to have new ones crop up in their place, accessible just by entering search terms in the bar at the top of every Facebook user’s page. And Facebook’s group and friend recommendation systems can draw in members to refill the cyberfraud groups’ ranks.
Real solutions will require deeper thinking and more proactive intervention, experts say.
“Facebook has sequentially dealt with each threat one by one, and they really haven't gotten to the level yet either in terms of staffing or strategy of thinking holistically about their platform and how to go at fraudsters or criminal groups that are repeating the same activity time and time again,” Watts said.