April 16, 2018

Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups totaling more than 300,000 members who flagrantly promoted a host of illicit activities on the social media network’s platform. The scam groups facilitated a broad spectrum of shady activities, including spamming, wire fraud, account takeovers, phony tax refunds, 419 scams, denial-of-service attack-for-hire services and botnet creation tools. The average age of these groups on Facebook’s platform was two years.

On Thursday, April 12, KrebsOnSecurity spent roughly two hours combing Facebook for groups whose sole purpose appeared to be flouting the company’s terms of service agreement about what types of content it will or will not tolerate on its platform.

One of nearly 120 different closed cybercrime groups operating on Facebook that were deleted late last week. In total, there were more than 300,000 members of these groups. The average age of these groups was two years, but some had existed for up to nine years on Facebook

My research centered on groups whose singular focus was promoting all manner of cyber fraud, but most especially those engaged in identity theft, spamming, account takeovers and credit card fraud. Virtually all of these groups advertised their intent by stating well-known terms of fraud in their group names, such as “botnet helpdesk,” “spamming,” “carding” (referring to credit card fraud), “DDoS” (distributed denial-of-service attacks), “tax refund fraud,” and account takeovers.

Each of these closed groups solicited new members to engage in a variety of shady activities. Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years.

Here is a spreadsheet (PDF) listing all of the offending groups reported, including: Their stated group names; the length of time they were present on Facebook; the number of members; whether the group was promoting a third-party site on the dark or clear Web; and a link to the offending group. A copy of the same spreadsheet in .csv format is available here.

The biggest collection of groups banned last week were those promoting the sale and use of stolen credit and debit card accounts. The next largest collection of groups included those facilitating account takeovers — methods for mass-hacking emails and passwords for countless online accounts such Amazon, Google, Netflix, PayPal, as well as a host of online banking services.

This rather active Facebook group, which specialized in identity theft and selling stolen bank account logins, was active for roughly three years and had approximately 2,500 members.

In a statement to KrebsOnSecurity, Facebook pledged to be more proactive about policing its network for these types of groups.

“We thank Mr. Krebs for bringing these groups to our attention, we removed them as soon as we investigated,” said Pete Voss, Facebook’s communications director. “We investigated these groups as soon as we were aware of the report, and once we confirmed that they violated our Community Standards, we disabled them and removed the group admins. We encourage our community to report anything they see that they don’t think should be in Facebook, so we can take swift action.”

KrebsOnSecurity’s research was far from exhaustive: For the most part, I only looked at groups that promoted fraudulent activities in the English language. Also, I ignored groups that had fewer than 25 members. As such, there may well be hundreds or thousands of other groups who openly promote fraud as their purpose of membership but which achieve greater stealth by masking their intent with variations on or mispellings of different cyber fraud slang terms.

Facebook said its community standards policy does not allow the promotion or sale of illegal goods or services including credit card numbers or CVV numbers (stolen card details marketed for use in online fraud), and that once a violation is reported, its teams review a report and remove the offending post or group if it violates those policies.

The company added that Facebook users can report suspected violations by loading a group’s page, clicking “…” in the top right and selecting “Report Group”. Users who wish to learn more about reporting abusive groups can visit facebook.com/report.

“As technology improves, we will continue to look carefully at other ways to use automation,” Facebook’s statement concludes, responding to questions from KrebsOnSecurity about what steps it might take to more proactively scour its networks for abusive groups. “Of course, a lot of the work we do is very contextual, such as determining whether a particular comment is hateful or bullying. That’s why we have real people looking at those reports and making the decisions.”

Facebook’s stated newfound interest in cleaning up its platform comes as the social networking giant finds itself reeling from a scandal in which Cambridge Analytica, a political data firm, was found to have acquired access to private data on more than 50 million Facebook profiles — most of them scraped without user permission.


84 thoughts on “Deleted Facebook Cybercrime Groups Had 300,000 Members

  1. M.E.

    In the course of researching a massive fraud wave at my employer over the fall and winter, I found a ton of scammers in Facebook groups like these openly advertising expertise in getting fraudulent accounts open at my institution specifically. Without thinking, I conducted this research using my own personal account, and ever since, all of my suggested groups have been Nigerian and Ghanian 419 scam groups and other bank fraud related groups. Quite a few of them were even fully open to the public!

  2. Mike Gale

    I guess these guys will now find another rock to go under.

    For this sort of thing, I imagine a clued-in judge should give permission, then the groups should be watched and the participants progressively neutralised.

    With this approach I imagine many will escape, to scam again.

  3. Cam

    My intention’s not discredit the article, but are the sites even legit? I would imagine that things like this would be people just acting like scammers. Anyway, this is coming from a security background

    1. ZN

      These pages are legit – they run a business, they want visibility and they want traffic. Facebook is easy to find and easy to use. They don’t care that their activities are tracked by FB and various governments, because their own governments are complicit or turn a blind eye. Russia’s largest carding website (Can’t recall the name) doesn’t even bother to host a .onion website half the time, since they don’t care. They want people to find them easily so they can sell stuff.

      1. Vedere

        it’s feshop if I’m not wrong. I don’t recall them hosting under an onion domain or have a mirror onion domain.

  4. Johnson

    Actual number of individual members in those groups was not even close to that number. Typical FB behaviour is that when you a member of one type of group you are a member in many of those groups. Also FB groups which are not location limited tend to have a lot of fake profiles just spamming something.

  5. sdf

    a news article about facebook suspensions, wow much interesting haha

  6. me

    I find it amazing that fb actually nuked groups. Every time I’ve found an illegal one and reported it, they told me it didn’t violate their tos.

    1. Albert

      Dear me – Do you have screenshots of that? You might want to share their refusal to take down cybercrime groups. But Brian Krebs has respect and a wide audience – so facebook acted to minimize the damage to their reputation. They were getting flak for allegedly taking down “conservative” pages – imagine the furor if they refused to take down cyber-criminal pages.

      1. me

        This goes back at least 5 years. I finally decided that when I found a group formed doing something illegal, I end up reporting them to the FBI, IC3, or NCMEC, depending on which it falls under. I figure that since FB won’t do anything, maybe LE will.

  7. oldschool

    who do still carding in these days? cvv dumps,and bank transfers drops is old old old.
    old carders have moved to new fields new moves new ways.
    carding was good maybe 20 years ago but now not anymore!
    even in carding forums good admins admitted that carding is over.

    1. Drew

      Is this meant to be a poem? Rhyme of the Ancient Hacker?

  8. Drew

    FB mentions automation as a solution like it’s some newfangled thing they must look into. They surely have the tools to flag cybercrime patterns like these, they just haven’t dedicated resources to it. Lack of priorities and/or ethics, until called on the carpet. For groups to last 2-4 years without prior complaints/reports is suspect. They just couldn’t ignore one from Krebs in this case. Well done!

    1. KathyB

      I have reported groups through the years and those reports went absolutely nowhere. FB’s reporting tool is a bad joke at best. The company & its platform is a total disgrace.

    2. Josh

      I reported one of these carder groups after reading this article. I just got a note back from Facebook saying that the group doesn’t violate their Community Standards. However, if there is something that offends me I can block them, yada, yada…

      Apparently, even after this article was written, Facebook still is clueless on how to handle these groups.

      1. Josh

        And they just sent me the same note about a second group I reported…

  9. Stefano Bianco

    This just makes you question what exactly Facebook monitors do with their time, if some of these groups had existed for over nine years – clearly they would still be up if it weren’t for krebsonsecurity.

    It also begs the question of how seriously Facebook takes it’s own terms of service considering these groups blatantly violated the terms and yet still got away with it.

    1. plb4333

      FB goes after conservatives, that’s what they do in monitoring.

  10. Barbara Peterson

    I want to delete my Facebook account.and don’t know how

    1. plb4333

      Why not google it? Its actually an easy process, its just getting started is the hardest. I’ve done it a couple of times over the years, and I admit, FB doesn’t make it apparent for seeing it.

      1. v1adimir

        Deletion of the account has to be “requested”, otherwise it only gets deactivated (or, something). Even when it is “deleted”, quite possibly only the login is disabled and the data will stay on there (forever?); just, won’t be accessible to the public /users.

  11. v1adimir

    And, instead of fixing all of the broken systems which they expose (more of which there will be tomorrow), they get… What, arrested? For what, exactly? You put a gold bar into the middle of the street and nobody is supposed to pick it up? Yeah, ok.

Comments are closed.