Dozens of groups composed of around 385,000 people convened to discuss and participate in dubious or illegal services - not on the dark web but on Facebook - according to Cisco's Talos security team.
Selling and trading stolen credit card numbers, identity data, contraband and the like has long occurred on internet forums, gated or otherwise, and servers accessible through the Tor network or the Invisible Internet Project (I2P).
But it may surprise you to learn that carding, identity theft and spamming services also flourish on Facebook, recently in the news for live streaming hate killings in New Zealand. That's despite years of criticism over ineffective oversight and the hiring of low-wage content scrubbers.
In a report published on Friday, Cisco's Talos security biz observed that "instead of wheeling-and-dealing using hidden servers on some mysterious dark web address, a surprisingly large number of cyber scofflaws prefer to operate right out in the open using social media."
Talos found 74 groups on Facebook with names like "Spam Professional," "Spammer & Hacker Professional," "Buy Cvv On THIS SHOP PAYMENT BY BTC," and "Facebook hack (Phishing)." While most of these groups appeared recently, some have been operating for as long as eight years, despite past reports alerting Facebook to the issue.
Hiding in plain sight
According Talos, some of the activities promoted by these Facebook groups are obviously illegal, like selling credit card data dumps, and associated information like photos and identification documents to facilitate identity theft. Other products and services like email lists and spamming could be unlawful or not. Payment often involves cryptocurrencies.
The security firm acknowledged not all of these groups may be intent on breaking the law or capable of doing so, but the biz claimed some of the individuals involved in these groups show up in the company's telemetry data for phishing attacks detected online. These groups are not just blowhards and curiosity seekers; they include actual cyber thieves.
Finding these groups can be a challenge. It requires logging into Facebook and typing a search query like "carding" or "cvv," exhausting though that might be. But Facebook will thoughtfully offer search suggestions like "cvv dumps" or "cvv credit card" if your initial query didn't quite lead you to the appropriate den of iniquity. And, as the Talos post observes, once you joined one of these groups, Facebook will suggest groups with similarly shady interests.
It's time to reset the 'Days without a Facebook data loss' sign after 500 million records left exposed on AWSREAD MORE
Facebook has a reporting mechanism, which Talos used, but the result amounted to a game of Whac-A-Mole. "While some groups were removed immediately, other groups only had specific posts removed," the firm said. "Eventually, through contact with Facebook's security team, the majority of malicious groups was quickly taken down, however new groups continue to pop up, and some are still active as of the date of publishing."
Among search engines, these sorts of concerns go back decades. Back in 2005, Google, among other search engines, pointed to stolen identities and credit card numbers on demand. And not much has changed. The appropriately worded query will still turn up what appears to be sensitive personal data.
Facebook has received similar reports from security researchers in the past and has removed malicious groups. But they've just reappeared, because addressing the symptoms doesn't cure the underlying problem – if you let people publish anything, they will actually do so.
In a comment emailed to The Register, a Facebook spokesperson said: "These Groups violated our policies against spam and financial fraud and we removed them. We know we need to be more vigilant and we're investing heavily to fight this type of activity." ®