April 16, 2018

Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups totaling more than 300,000 members who flagrantly promoted a host of illicit activities on the social media network’s platform. The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools. The average age of these groups on Facebook’s platform was two years.

On Thursday, April 12, KrebsOnSecurity spent roughly two hours combing Facebook for groups whose sole purpose appeared to be flouting the company’s terms of service agreement about what types of content it will or will not tolerate on its platform.

One of nearly 120 different closed cybercrime groups operating on Facebook that were deleted late last week. In total, there were more than 300,000 members of these groups. The average age of these groups was two years, but some had existed for up to nine years on Facebook

My research centered on groups whose singular focus was promoting all manner of cyber fraud, but most especially those engaged in identity theft, spamming, account takeovers and credit card fraud. Virtually all of these groups advertised their intent by stating well-known terms of fraud in their group names, such as “botnet helpdesk,” “spamming,” “carding” (referring to credit card fraud), “DDoS” (distributed denial-of-service attacks), “tax refund fraud,” and account takeovers.

Each of these closed groups solicited new members to engage in a variety of shady activities. Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years.

Here is a spreadsheet (PDF) listing all of the offending groups reported, including: Their stated group names; the length of time they were present on Facebook; the number of members; whether the group was promoting a third-party site on the dark or clear Web; and a link to the offending group. A copy of the same spreadsheet in .csv format is available here.

The biggest collection of groups banned last week were those promoting the sale and use of stolen credit and debit card accounts. The next largest collection of groups included those facilitating account takeovers — methods for mass-hacking emails and passwords for countless online accounts such Amazon, Google, Netflix, PayPal, as well as a host of online banking services.

This rather active Facebook group, which specialized in identity theft and selling stolen bank account logins, was active for roughly three years and had approximately 2,500 members.

In a statement to KrebsOnSecurity, Facebook pledged to be more proactive about policing its network for these types of groups.

“We thank Mr. Krebs for bringing these groups to our attention, we removed them as soon as we investigated,” said Pete Voss, Facebook’s communications director. “We investigated these groups as soon as we were aware of the report, and once we confirmed that they violated our Community Standards, we disabled them and removed the group admins. We encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action.”

KrebsOnSecurity’s research was far from exhaustive: For the most part, I only looked at groups that promoted fraudulent activities in the English language. Also, I ignored groups that had fewer than 25 members. As such, there may well be hundreds or thousands of other groups who openly promote fraud as their purpose of membership but which achieve greater stealth by masking their intent with variations on or mispellings of different cyber fraud slang terms.

Facebook said its community standards policy does not allow the promotion or sale of illegal goods or services including credit card numbers or CVV numbers (stolen card details marketed for use in online fraud), and that once a violation is reported, its teams review a report and remove the offending post or group if it violates those policies.

The company added that Facebook users can report suspected violations by loading a group’s page, clicking “…” in the top right and selecting “Report Group”. Users who wish to learn more about reporting abusive groups can visit facebook.com/report.

“As technology improves, we will continue to look carefully at other ways to use automation,” Facebook’s statement concludes, responding to questions from KrebsOnSecurity about what steps it might take to more proactively scour its networks for abusive groups. “Of course, a lot of the work we do is very contextual, such as determining whether a particular comment is hateful or bullying. That’s why we have real people looking at those reports and making the decisions.”

Facebook’s stated newfound interest in cleaning up its platform comes as the social networking giant finds itself reeling from a scandal in which Cambridge Analytica, a political data firm, was found to have acquired access to private data on more than 50 million Facebook profiles — most of them scraped without user permission.

84 thoughts on “Deleted Facebook Cybercrime Groups Had 300,000 Members

    1. Jon Marcus

      Be nice if Facebook had exercised that same level of diligence.

        1. Quid

          The keyword page doesn’t appear to work, perhaps because I’m “not of the body” (community) and not logged in.

          1. B_brodie

            +1 for Star Trek reference

            “guide me Landru “

        2. Sharon H

          Nice work, Brian. Thank you for keeping us informed.

      1. Steve

        FB clearly hasn’t been looking for this. Their organization has grown an such an exponential rate that if it looks very amateurish in how it’s being run/managed, that’s because it is. Security has never been on their minds until they were embarrassed about their lack of it. Even now, I question their commitment to have Security as one of their pillars.

  1. Cameochi

    Kudos for getting the bad groups removed. It’s a good start but there are many bad members as well who are there to stir the pot. Their pages have no info, no friends, etc. because they are paid trolls. The ones I see are alt-right but there are probably plenty of alt-left pages as well.

    I reported a scam via a private message to me in Russian saying that my account would be gone if I did not share all of my contacts. The sender claimed to be Mark! I reported it and they did absolutely nothing! They said they cannot control spam. A few days later, that scam was mentioned on one of my geek sites and they had a problem with it too.

    Up until very recently, FB blew their members off as they were more concerned about profits than the safety of their members. Let us hope that they have had a real wakeup call and will actually clean up FB.

    1. plb4333

      FB will always put money 1st. The way they see it, users don’t matter really, except for their data/money. Even a few years back, Mark said the less privacy a user has, the more money he makes…He won’t change unless forced to..

  2. The Sunshine State

    A lot of those Facebook groups have to do with tech support scams that originate in India

    1. John Clark

      Another popular scam/business practice is using employment recruiting bodyshops based in India. They claim to be in the US but it simply not true. They cold-call and email claiming to be based in various US cities but speak with very heavy accents and if you get an email they include linkedin profiles that are obviously in India. Just got one from Vietnam. Since they can’t be honest about where they are, how come we are expected to trust them with our SSN and DOBs?

  3. JCitizen

    I knew they were going after terrorist and fake news groups, but this is surprising! Who knew it was going on so long? I’m no stranger to complaints from friends who’s accounts were taken over, and other messenger attacks, but I just didn’t even think about groups sitting there right on the same platform they abused!!!

  4. Jon Etkins

    One would hope that FB would look into accounts that were subscribed to these groups – or at least those that were common to several groups.

    1. Harry the D

      Brian stated his methodology in the article, had you bothered to read it: “Virtually all of these groups advertised their intent by stating well-know [sic] terms of fraud in their group names, such as “botnet helpdesk,” “spamming,” “carding” (referring to credit card fraud), “DDoS” (distributed denial-of-service attacks), “tax refund fraud,” and account takeovers.”

  5. Paul

    Delete your facebook account and never look back!

  6. Andrew Strutt

    Our administrators, and moderators have been reporting groups, and users fruitlessly. It’s nice to finally see some action out of Facebook.

    We’ve reported thousands of accounts, groups, and pages, and nearly 99 in 100 are replied with “not against community guidelines”

    1. John Clark

      I have reported scammer on a California based hosting service (DreamHost) and they claimed they are “Not a Tier of Truth” and refused to take down the scammer. The scammer poses as an employment recruiting company. He has created more than 50 domains with matching emails.
      Hosting companies and Facebook just don’t care as long as they continue to get money.

  7. how can we help?!

    I’m so glad we have someone like you watching out for this stuff. I’m guessing it (they) never would have been removed if someone like you hadn’t reported it.

    What can we do as regular citizens to help with things like this? It seems so hopeless.


    1. Bruce Hobbs

      Facebook has thousands of employees and is constantly bragging about their tech prowess. Why can’t Facebook do this themselves? That’s the question I always ask when reporting a fake news story.

      1. John Clark

        Its all about money. There is no profit to be made removing groups and users.

  8. Jim Skott

    It would be nice to see Facebook use its infamous data harvesting logarithms for detecting scams and fraud instead of using them to pad its bottom line. Thank you, Mr Krebs.

  9. Eric

    So I guess they deleted the groups, but didn’t delete the accounts of the people who belonged to them.

      1. Chris Nielsen

        “…and once we confirmed that they violated our Community Standards, we disabled them and removed the group admins.”

        Did you hear that sound? It was a big “Ouch” as the admins were slapped on the wrist. While better than nothing, I would have liked to see them at least suspend user accounts for a day who had joined those groups with a message why. I first thought the accounts should be deleted, but some members may be more curious about what goes on rather than active in the crimes.

        Suspending accounts for a day would have sent a powerful message without causing any real harm to users and reinforce the idea that FB is serious about protecting it’s platform.

      2. Vog Bedrog

        Given that they had direct evidence of criminal activity it would be nice if FB had reported this to some authorities too. Granted there would be plenty of fake profiles, but it’s not as though FB aren’t able to assist in unmasking them.

        1. John Clark

          There is no money to be made by providing information to law enforcement. These popular tech companies often declare that they want to make it difficult for law enforcement to stop criminals.

          1. Reader

            Worse, deleting too many active users is counterproductive to their stock price. They don’t care if users are carders, child abusers, or celebrities. Every active user holds value for a company based in selling its users for advertising.

  10. raincoaster

    This is your periodic reminder that “security professional” Hector Monsegur started out as a carder on Facebook.

  11. Gary

    And we are told there are no fake accounts on Facebook. So I assume all these criminals used their real names and photos.

    1. Vog Bedrog

      Oh I hope not! Cambridge Analytica will have compromised all their privacy, poor schmoes.

    2. Anna Nyms

      I’m no criminal, but have had multiple Facebook accounts in the past as well. There are many good reasons for not using your real name on Facebook. Since Facebook can’t be trusted not to share your user data, I’m now glad I use a pseudonym or annanym ;).

  12. rip

    To be an employee at fb (or google or any social platform), you have to understand the need for business (new customers and new sponsors) vs. maintenance (caring about those customers.)

    If you as an employee point out significant problems such as rampant data harvesting and sharing that might impact the business, you are in trouble.

    Maintenance (and that includes security, helping the proles) is a money-suck.

    I don’t care what zuck or anyone else says – their model is to get rich quick and leave the detritus to the stoopids.

  13. Chip Douglas

    Too little too late. If it were not Brian pointing it out it likely would not have gotten a positive response. They are only interested if it might cause them more bad press to ignore.

  14. Scott

    I wish you would make your site mobile optimized. It’s essentially impossible to read on a phone.

  15. John Davidson

    I have reported about a dozen. I eagerly await Facebook’s response, which will be “does not violate our community standards”.

    1. ])ark])ad

      hmmmmm… could it be that those replies from FB stating “does not violate our community standards” are insiders who may perpetrate this illegal activity and are avoiding being shut down?

      does make one wonder.

      Zuck mentioned 20,000 employees working on screening and yet Brian finds numerous ones with simple searches. Sounds like they’re hiring slackers.

      1. John Clark

        those 20,000 people are probably based in India (and other countries) and are just going through the motions doing only what they are told to do and nothing more since that is what the contract calls for. They are not being paid to show initiative, and do any out-of-the-box activities.

  16. posterboy

    It’s great when someone with mountains of resources can step in and help a tiny firm like Facebook do things right. They’ll at least have a start when they can afford a part-timer.

  17. Mikey Doesn't Like It

    Wouldn’t it be nice if FB collected the IP addresses and other info that might help law enforcement identify some of the bigger players…

  18. Joseph Lalli

    I made a similar comment in the past, and it bears repeating:

    Why should we have to rely on Brian Krebs, a solo operator, to root out malfeasance? Where is law enforcement? Where is Facebook’s supervision of its platform? Clearly, law enforcement and Facebook have greater resources and manpower at their disposal. And yet it took all of 2 hours for Mr. Krebs to locate groups flouting Facebook’s terms of service! And as the article states, a portion of these groups had been plying their trade in open sight for years!

    1. Catwhisperer

      Joesph, haven’t you ever read Karl Marx’s dictum on Bold Capital? Here is the gist of it, which is SO apropos today with multi-national mega-corporations, like FB:

      “Capital eschews no profit, or very small profit, just as Nature was formerly said to abhor a vacuum. With adequate profit, capital is very bold. A certain 10 percent will ensure its employment anywhere; 20 percent certain will produce eagerness; 50 percent, positive audacity; 100 percent will make it ready to trample on all human laws; 300 percent, and there is not a crime at which it will scruple, nor a risk it will not run, even to the chance of its owner being hanged.”

      It’s uncanny that he hit the nail squarely on the head, well over 100 years ago, in an almost prophetic sense…

      1. Jean W

        Marx was quoting the english trade unionist, Thomas Dunning there on the inability of Capital to resist a profit.
        Rather than uncanny, I’d say that Dunning’s words are
        common sense.
        The problem today is that Capital operates with impunity; it doesn’t take risks for that 300 percent because it’s got hold of the levers of law so that Zuckerberg can sit there saying zero and get clear away with it.

  19. KoSReader6000000

    I see there is a bit of “spring cleaning” at the internet’s Roach Motel. Good going Brian K.

    1. vb

      No roaches were harmed. All they did was remove the roach playground. Nobody is following the roaches back to the nest.

      As nice as it feels to strike a blow for the “good guys”. This action doesn’t remove any criminal from society.

      1. KFritz

        It’s a setback for this particular agglomeration of crooks. They have some work to do. Let’s see how the work their way back on to Facebook.

  20. Mitch

    What Facebook should do, is not delete the users accounts but track the groups those people join going forward, so that they can detect when new groups are created to foster illegal activities. Then continue to delete the new groups shortly after they are created. I imagine mapping the membership across those groups would show a lot of connections to other illegal activities.

    When the Dark Net isn’t dark enough anymore, they will hide among us on the big social platforms… the big Blue Net.

  21. Jim

    But, now they have left. But, have they. They went to another platform. Where? Darkweb? Where only they and their friends know? That’s the trouble with censoring them. Now, they are someplace that the average prosecuter will not look. And will they trust the new platform?
    Now, will liberals say that free speech is violated, in free speech, it doesn’t matter the content, or color, or gender, religion, except now. Define good/bad speech. And whose idea will be censored next?

    1. Grey

      I highly doubt anyone will complain about criminals being kicked off Facebook. I can’t recall the last time anyone cried about violating free speech by kicking scammers/carders/hackers off of any site. But nice try at making this political when it wasn’t. Seriously, can’t anyone discuss anything without someone taking pot-shots at liberals or conservatives anymore? I’m so tired of this. We have enough real issues in this world without creating an invisible war among ourselves with this left vs right mentality, especially when politics have nothing to do with the original issue.

    2. BrianKrebs Post author

      If someone is selling stolen identities/credit cards on the street corner and he gets arrested, that’s not a violation of his free speech, nor is it censorship. Nor is it censorship when someone does this online in a community that has expressly forbade such activity.

    3. Ian

      I hope you realize that freedom of speech is a completely moot point on Facebook or any social network. I feel as though people often jump to the “free speech” argument when anyone enforces censorship (TOS) or any other form of control. Free speech does NOT guarantee avoidance of consequences. I won’t make this a drawn out comment but:
      The First Amendment doesn’t protect a user’s speech on a private company’s site. On the contrary, the First Amendment protects Facebook’s right to say what can appear on its platform. … Facebook can disclose as much or as little as it wants about its decision-making process.

      1. John Clark

        There is nothing in freedom of speech that requires a private company (not government) from providing a platform for others to share criminal information, or post disparaging things about a country or government.
        Facebook is perfectly in their legal rights to remove any content that they want as long as its not connected to a ‘protected class of people’ (think race, gender, sexual orientation, religion).

  22. FARO

    This piece I can understand. You could clean up Facebook but I do not think they will pay you the median employee salary of 240,000. The cleanup would lower their subscriber numbers and I do not think that is what they really want to do.

  23. Grey

    That feel when Facebook removes innocent posts that are fraudulently reported but hundreds of thousands of criminals use it to spread their schemes right in the open and nothing happens until someone reports them en masse.

  24. Gabriel G

    Hi Brian,
    Back in early 2016 while working for RSA Security I published a whitepaper based on cybercrime on social media, focusing largely on the issue of Facebook groups, and presented it in conferences and events around the globe.
    Though I’m at a different company now, you can still Google the report called “Hiding in Plain Sight” Parts 1 & 2. Talking about activity on Facebook groups, VK, Odnoklassniki, QQ, Baidu Tieba and Whatsapp.
    I hope you enjoy it

  25. Vicki

    Does Facebook turn content of this nature over to the proper authorities?

  26. JimV

    Well done, Brian!

    It’s yet another exemplary reinforcement to my already-intense distaste for Facebook in all of its penetrating tentacles’ aspects.

Comments are closed.