You might be surprised what you can buy on Facebook, if you know where to look. Researchers with Cisco’s Talos security research team have uncovered a wave of Facebook groups dedicated to making money from a variety of illicit and otherwise sketchy online behaviors, including phishing schemes, trading hacked credentials and spamming. The 74 groups researchers detected boasted a cumulative 385,000 members.
„Instead of wheeling-and-dealing using hidden servers on some mysterious dark web address, a surprisingly large number of cyber scofflaws prefer to operate right out in the open using social media.”, the researchers said on Talos’ blog. For example, Facebook is host to dozens of groups that serve as online marketplaces and exchanges for cybercriminals. Talos saw spam from services advertised in these Facebook groups show up in their own telemetry data, indicating a potential impact to Cisco customers from these groups.
Over the past several months, Cisco Talos has tracked several groups on Facebook where shady (at best) and illegal (at worst) activities frequently take place. The majority of these groups use fairly obvious group names, including „Spam Professional,” „Spammer & Hacker Professional,” „Buy Cvv On THIS SHOP PAYMENT BY BTC 💰💵,” and „Facebook hack (Phishing).” Despite the fairly obvious names, some of these groups have managed to remain on Facebook for up to eight years, and in the process acquire tens of thousands of group members.
In all, Talos has compiled a list of 74 groups on Facebook whose members promised to carry out an array of questionable cyber dirty deeds, including the selling and trading of stolen bank/credit card information, the theft and sale of account credentials from a variety of sites, and email spamming tools and services. In total, these groups had approximately 385,000 members.
These Facebook groups are quite easy to locate for anyone possessing a Facebook account. A simple search for groups containing keywords such as „spam,” „carding,” or „CVV” will typically return multiple results. Of course, once one or more of these groups has been joined, Facebook’s own algorithms will often suggest similar groups, making new criminal hangouts even easier to find. Facebook seems to rely on users to report these groups for illegal and illicit activities to curb any abuse.
Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality. While some groups were removed immediately, other groups only had specific posts removed. Eventually, through contact with Facebook’s security team, the majority of malicious groups was quickly taken down, however new groups continue to pop up, and some are still active as of the date of publishing. Talos continues to cooperate with Facebook to identify and take down as many of these groups as possible.
This is not a new problem for Facebook. In April 2018, security reporter Brian Krebs alerted the social media site to dozens of Facebook groups wherein hackers routinely offered a variety of services including carding (the theft of credit card information), wire fraud, tax refund fraud and distributed denial-of-service (DDoS) attacks. Months later, though the specific groups identified by Krebs had been permanently disabled, Talos discovered a new set of groups, some having names remarkably similar, if not identical, to the groups reported on by Krebs.
Inside the online criminal flea market
Many of the activities on these pages are outright illegal. For example, Talos discovered several posts where users were selling credit card numbers and their accompanying CVVs, sometimes with identification documents or photos belonging to the victims.
Others products and services were also promoted. „We saw spammers offering access to large email lists, criminals offering assistance moving large amounts of cash, and sales of shell accounts at various organizations, including government. We even saw users offering the ability to forge/edit identification documents.”, according to Talos’ researchers.
The majority of the time, these sellers asked for payment in the form of cryptocurrencies. Others employ the use of so-called „middlemen” who act as a go-between between the buyer and the seller of the information and take a cut of the profits. These users usually promoted the use of PayPal accounts to complete the transaction.
It’s unclear based on these groups how successful or legitimate some of the users are. There are often complaints posted by group members who have been scammed by other group members. In most groups, there is a particular etiquette and form to the posts. Typically sellers will describe what they have versus what they want. Almost all transactions are „you first” (written as „U_f,” „uf,” etc.), meaning the person interested in making the purchase or trade has to pay or provide their service or product up front. Like many other Facebook groups, these scammer groups also exist as a forum for scammers to share jokes about some of their less successful campaigns.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: