Facebook closes groups that offered phishing services, hacked data for sale to thousands of members

Researchers at Cisco Talos uncover 74 Facebook groups being used for illicit activity by hundreds of thousands of users.
Written by Danny Palmer, Senior Writer

A series of Facebook groups with almost 400,000 users have been removed after cybersecurity researchers found they were openly being used to to sell hacked personal data, offer phishing services and other illicit behaviour.

While many cyber criminals opt to use underground forums on the dark web to trade data and services, researchers at security company Cisco Talos have detailed how 385,000 Facebook users were found to be members of 74 groups focused in highly suspicious activity. Some of the groups had been active on Facebook since 2011 and have acquired tens of thousands of group members.

These Facebook groups aren't even difficult to find, with researchers noting how anyone with a Facebook account who searchers for keywords such as "spam," "carding," or "CVV" will see multiple research results.

Once a user joins one group, they're also easily able to access many more without even actively searching: because Facebook's engagement algorithms offer up similar groups, making them easy to find.

"When you join one group, Facebook automatically recommends similar groups. This is a great way to help users discover communities," Martin Lee, outreach manager at Cisco Talos told ZDNet. "But there is a flip side. Think of it this way – if you joined a group designed to help you 'cheat' at a video game, it's possible you get served up similar 'cheating' groups that trade in illegal services."

In many cases, a look at the contents of the pages displays illegal activity, with users openly selling stolen credit card numbers, identities and other information which could be used to conduct fraud.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

Other illicit activity on display in these Facebook groups included users selling lists of email addresses for use in spam and malware campaigns, stolen login credentials allowing access to corporate and government accounts, and criminals offering money laundering and transfer services, usually involving cryptocurrency.

There's also evidence which suggests that some of the services on offer aren't real – rather some users are are actively trying to use Facebook to scam others in the group.

Cisco Talos researchers attempted to take down the groups by using Facebook's abuse-reporting function – a tactic that saw some groups removed, while others just saw individual posts removed.

Researchers eventually made direct contact with Facebook's research team about the groups, which resulted in the majority of groups taken down.

"These Groups violated our policies against spam and financial fraud and we removed them. We know we need to be more vigilant and we're investing heavily to fight this type of activity," a Facebook spokesperson told ZDNet.

The situation represents an ongoing problem for Facebook, which had to remove a number of groups conducting cyber-criminal activity last year - however, new groups have continued to spring up in the past 12 months and some groups managed to avoid removal during the last takedown.

Cisco Talos continues to work with Facebook to identify and take down new, suspicious and illegal groups as they emerge.

"There is no magic bullet here. Criminals are adept at abusing social platforms. To remove these activities we all need to work together," said Lee.

"Platform administrators need to play their part in identifying and removing malicious groups. The wider security community must work together to actively share information, take action and inform our customers.

"But also users need to be proactive in reporting abuse when they encounter it to help take down these groups," he added.


Editorial standards