There’s no denying that the past 18 months have been difficult ones for Facebook. Not only has the popular social media platform faced public outcry and regulatory attention over its data privacy practices, but also it has been accused of giving “fake news” a place to spread, a way for hate groups to disseminate their ideas, and a place for conspiracy theories to gain credence. And now there’s growing concern that the social media platform has become a destination for Facebook cybercrime groups to conduct their activities in plain sight. Cisco’s Talos cybersecurity division, for example, recently highlighted the existence of 74 Facebook cybercrime groups with over 385,000 members.
Findings from Talos on Facebook cybercrime groups
What is particularly disturbing about the findings from the Talos security unit is just how brazen these groups on Facebook are. Some of them have obvious names, with words like “Buy CVV,” “Spammer,” “Spam Carding or CVV,” “Hacker” or “Phishing” right in their title. That makes them easy to find even for the casual user. You don’t need to travel to the deepest reaches of the Dark Web to find these Facebook cybercrime groups. All you need to do is a basic search for a popular hacking term, and you’ll find these groups. And once you’ve joined one of these groups, the Facebook algorithm will often go to work, recommending similar groups for you to join.
The range of activities conducted by these Facebook cybercrime groups range from the unethical and shady to the outright illegal. For example, there are Facebook cybercrime groups where you can buy and sell credit card information from users, buy and sell login credentials, and even buy forged documents. You can also find groups that specialize in moving around large sums of money (sometimes in excess of $100,000), or that can provide “shell” email addresses for just about any organization or government agency in the world. It’s literally an “online criminal flea market” that breaks all of Facebook’s spam and financial fraud rules.
In fact, the activities are so brazen and so in your face that these cyber criminals boldly advertise the prices for their services. It costs just $5-$10 for a set of credit card numbers, and anywhere from $25-$30 for account login credentials. There are also specific prices for anything from money laundering to document forging. Since there are so many of these Facebook cybercrime groups, you can literally browse around for the best offer.
What’s worrisome, too, is just how “normalized” all of this cybercrime activity has become on Facebook. There are well-known designations for how transactions need to work. For example, given the overall shadiness that pervades these groups, most transactions are on a “you first” basis. On Facebook, that translates into well-known lingo like “uf” or “u_f.” And group members proudly post photos of products purchased as a result of their latest phishing expeditions, or update the group with images needed to verify the veracity of any of the documents for sale. For example, photos of stolen credit cards can include images of the “CVV” on the back of the card, in addition to photos of the person to whom the card belong.
Facebook needs to do more to crackdown on Facebook cybercrime groups
Given the sheer amount of activity happening in Facebook cybercrime groups, why isn’t Facebook HQ cracking down on all this stealth activity? According to Talos, some of these cybercrime groups have been around for nearly a decade. And every time there is an effort to delete these groups, similar groups with similar names pop up immediately. In fact, some security researchers have compared this to the problem of “killing cockroaches” – for every 10 that you kill, there are 20 more that you don’t know about and that will appear soon.
Thus, in many ways, Facebook has simply thrown up its hands. Claiming that it is doing everything in its power to stop these groups, Facebook has made the case that it can somehow self-regulate its way out of this mess. For example, Facebook says it now has more than 30,000 people around the globe working on “safety and security.” And, in response to the Talos report, Facebook moved to erase the 74 cybercrime groups specifically highlighted.
But where have we heard this before? In April 2018, noted security researcher Brian Krebs reported 120 different Facebook cybercrime groups with over 300,000 members. These Facebook cybercrime groups were involved in everything from phishing and spamming to botnet attacks and massive DDOS attacks for hire. In response, Facebook disabled the groups. But guess what? New groups with similar names soon appeared, and now one year later, we’re talking about the same problem and the same scale. Moreover, new groups continue to pop up.
One problem, say security researchers, is that Facebook continues to hide behind Section 230 of the Communications Decency Act. This is what protects Facebook from liability in the event that someone uses hate speech on the platform, or in the event that cyber criminals use the platform for nefarious purposes. If Facebook is just a social media platform, then regulators can’t go after Facebook specifically for fines or punishments, even if groups violated certain rules. In the meantime, Facebook can continue to make the case that it takes the matter very seriously and that it will do everything possible to end this abuse. As one Facebook spokesperson noted in response to the Talos report, “We’re investing heavily to fight this type of activity.”
And, indeed, it may be unfair to blame Facebook completely. There are literally 2 billion people on the platform, and even security researchers say enforcement of policies is equivalent to playing a game of “whack-a-mole” that you can never win. The size of the Facebook cybercrime groups is about the size of a large metropolitan city, so there are bound to be some bad actors out there engaging in activities like buying and selling stolen credit card numbers.
Clearly, getting rid of this problem is going to require some form of joint coordination. Facebook, for its part, needs to crack down even harder on these groups. At the very least, the Facebook algorithm shouldn’t make these groups easy to find for anyone. And Facebook users need to remain vigilant, too. If they run across these Facebook cybercrime groups, they should report them immediately. And, finally, legislators need to take a more serious look at steps that they can take to regulate the social media giant directly and fight this type of activity, without waiting for Facebook to self-regulate the problem away.