April 8, 2019

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”

But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.

Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.

Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.

What did we find? KrebsOnSecurity received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled.

How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?

  • KrebsOnSecurity broke the news that Facebook developers wrote apps which stored somewhere between 200 million and 600 million Facebook user passwords in plain text. These plaintext passwords were indexed by Facebook’s data centers and searchable for years by more than 20,000 Facebook employees.
  • It emerged that Facebook’s new account signup page urges users to supply the password to their email account so Facebook can harvest contact details and who knows what else. Yes, that’s right: Facebook has been asking new users to share their email password, despite decades of consumer advice warning that is exactly what phishers do.
  • Cybersecurity firm UpGuard discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.

  • Facebook is making users searchable by marketers and others via phone number, even when that phone number was only provided solely for the purposes of multi-factor authentication.

Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others.

I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook.

For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention.

Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way.

Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook.

I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user.

But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below.


63 thoughts on “A Year Later, Cybercrime Groups Still Rampant on Facebook

  1. Vladimir

    Never joined Facebook or any other social media sites. To me, they’re just information gathering tools. That’s why they’re “free”. We also block all social media for our customers. My wife is angry with me because she can’t get to Facebook from home. 🙁

    1. AVladimir

      Vladimir unless your email required to post here was a burner its in an internet database and probably being sold not very different than others social media.

  2. Nick

    Lol, “sophisticated” .

    One of the largest developers of AI cannot autoban accounts using keyword matching?

    I don’t think so. This is simply another example of Facebook’s gross negligence.

    From the mouth of Zuckerberg himself on the topic of the Internet needing a new set of rules:

    “Internet companies should be accountable for enforcing standards on harmful content.”

    I guess his rules are more like “guidelines” to be enforced selectively.

    The Internet is being reshaped before our very eyes and it is deeply concerning to me.

    1. Bob Brown

      I think there was a fair amount of sarcasm in “sophisticated.”

  3. Tim2daG

    Since you asked…
    stopped using Facebook on a regular basis back 2012 because of the privacy issues. I never liked seeing the wall of posts from my “friends,” wishing it could turn off or at least filtered. Never did like the games. When the Cambridge Research controversy became public was when I threw in the towel on Facebook and deleted my account. Don’t even miss it.

    What was funny to me was that when I first joined Facebook I joined a group from my high school graduation class and whenever Facebook wanted to use my “friends’ pictures as 2-factor verification they picked these people from the group, people I haven’t seen for years, never looked at their pictures or their posts, and expected me to match their pictures (think of newborn grand kids as the images shown) to their names as verification. I failed miserably each time they asked for 2-factor verification. What a joke Facebook is.

  4. Ryan

    I deleted the FB and IG apps this fall but have left the accounts open. I haven’t missed them, and in fact feel 17% happier and have 14% more free time.

  5. Steven Thornton

    They need to delete the users who created these groups, and ideally every user who joined them as well. But of course they won’t, because they are hemorrhaging users as it is.

    I’ve tried to quit FB but it’s just impossible, because so many of my friends are on it, and that’s the only way to communicate with them. An old, old friend of mine died recently, and even though he didn’t have FB, everyone he knew did, and I wouldn’t even have heard about it otherwise, and neither would 20-30 other people. It’s a trap.

    The worst thing is how the collective memory of the internet has disappeared into the FB hole. All those people who knew things and wrote about them on web pages that were searchable. FB is almost impossible to search adequately.

  6. User

    Deleted my Facebook after the Cambridge Analytica scandal. No Brainer.

    I’ve been trying to find a reason to cut Google out of my life after discovering the trove of data they had been collecting on me since about 2014 (of course this was buried deep within a maze of account settings).

    With disturbing accuracy, Google was collecting my every move ( commute, travel habits, etc) down to if I was walking, driving, or using public transportation. Additionally, collecting my voice asking Google Assistant questions (never doing that again).

    If you haven’t, watch Jaron Lanier’s TED talk. Everyone with a device should.

  7. Blue Critter

    I deleted my FB account in November 2016 after the election fiasco. It was apparent that there was more misinformation than real information, so my continued participation would be a net loss. A few months later, I received an email allegedly from FB that someone tried to access my account, would I like a password reset to reactivate my account? My reply was that any attempt to access my account was fraudulent and should be treated as such.

  8. Irritable Lawyer

    Very timely article for me. 2 days ago I finally went ahead and deleted (I hope) my Facebook account after being inactive 2-3 months. I have not missed it.

    At the end of the process, there is a mandatory response requirement as to why you are leaving. I thought “Fuck you Zuckerberg” was rather rude, but that they deserve the epithet. This is not a harmless organization.

  9. Techno

    I kept my FB account as several local groups and businesses post updates on it, but I haven’t filled in my profile and don’t use it to communicate with people. I deleted the app from my phone when the notifications became intrusive and it would just time out when I tried to turn them off. Since then, I have noticed that my phone battery lasts 30 per cent longer. (Uninstalling Twitter also improved battery life.)

  10. greybush

    Suckerburger is a a hacker disguised as a corporate elite. Make no mistake that Facedump is social engineering at its finest. That which is made to appear as a social platform or form of entertainment is a tool for hackers to extract as much data off the general public or corporations to harvest as much data from the public to sell to highest bidder. I’m not anti capitalist and fuck you if you think i’m anti america, I love america, but i am NOT for the whole sale of everyones data of anyone who accesses my site whether it be my 15 year old cousin or 89 year old grandman. ‘Suckerberg you better recognize there are hackers who fight for the general good of the people and not just for profit.

  11. Jim

    Zuckerbutt is a liberal America hater that deletes conservative comments/accounts while pushing the liberal agenda to all. I have no use for any social media. Their eyes and ears are into all member’s privacy.

  12. Clay_T

    Back when BookFace first hatched, I succumbed to peer pressure and created a burner FB account.

    Too many folks nagging me to “Check out my page!”

    Put as little info in it that I could get away with, and faked what had to be provided.

    What’s it been, a couple years ago that BF insisted accounts be authenticated with a phone number?

    I wasn’t about to authenticate the FB burner, so I couldn’t go in and delete it proper.

    An old high school girlfriend still managed to track me down using FB anyway, via familial DNA (thanks sis :/).

  13. timeless

    I like Twitter for complaining to companies (as you’ve discovered).

    Facebook seems to work reasonably well as a news aggregator. I used to use various RSS(/Atom) readers, but over time they kept getting killed. Also I have a certain amount of faith that Facebook is likely to keep my photos longer than other services (Hello Google+ / Picasa [1]).

    Facebook also works fairly well for coordinating physical meetings in advance w/ non-technical people from various social circles (I’d hate to have to use Email for this).

    Am I the product when I use Google/Facebook/Twitter? Absolutely. Am I the product when I browse the web and those services track me whether or not I’m logged into their service? Absolutely. Would I rather have some benefit from them? Sadly, yes.

    [1] https://support.google.com/plus/answer/9195133?hl=en&authuser=0

  14. John Smith

    I planted my flag on Facebook but don’t use it. I log in once per week just to clear the bogus “friend” suggestions.

  15. Siegfried

    I never had a Facebook account, and probably never will have. It started with Twitter. I thought, the idea was interesting, but before signup, i studied their rules. And after some days of thinking, i decided not to sign up. Later with Facebook it was similar, only shorter time to decide not to sign up. About a year ago i decided not so sign up to any socalled social media. I can get news from blogs, and for personal relations i have e-mail. And i’m fine with that.
    In the early times AOL offered this type of “walled garden”. I never liked that, and never used it. Now Facebook and Co. have reinvented this. I still do not like it.
    For browsing i use several filters and blockers since many years. And it really helps keeping advertising trash low. Every 2 or 3 years i use Google to search for my name and check what information about me is online. It is not that much, and i can live with that. It is not possible to leave absolutely no traces, but it is possible to keep these traces low.

  16. Occam

    No … not on FB. My opinion is that the self-righteous Zuck and his ilk are just as much a malevolent force as the scumbags his platform empowers.

  17. Ken Bonny

    I have a facebook account. Created one to post my blog posts to so they would be more easily found. After about a month, facebook just deleted my account without warning or reason. After I complained on twitter and via email, it got reinstated after another month or so. Again without warning or notice. I stopped using facebook then. I have an account so nobody can squat on my username and I use it to check their pretty good domain monitoring service.

    I created an instagram account and when I wanted to log in, I had violated their T&C, without ever posting a single picture. I complain to them from time to time, if they respond, they just point me to their gazillion page long T&C and tell me to figure it out myself. If I want my account, I have to send them some pictures of me holding a written plaque with my username and some other stuff. Never bothered to send them that because F* them.

  18. Readership1

    I tried Facebook 15 years ago.

    It sucked. It was clumsy.

    Just like all the social networks before and after, it never served a purpose.

    I deleted Facebook 15 years ago.

    This is not a haiku.

  19. MrB

    There are a fair few comments about how people have ‘deleted’ their Facebook accounts – but the reality is, that even without an account Facebook (and Google, and no doubt others) are still able to track and profile you, through their tracking capabilities including cookies and tracking pixels. So even without an account, your data is still being collected, and there is no real way to opt out.

    1. Rumpleforeskin

      If you’re truly concerned about all of that, then use Tails (or another privacy based Linux distro like WhoNix or even Qubes); a VPN or Tor; don’t use Google, but rather use DuckDuckGo or another similar search engine. Is it perfect? No, but it’s absolutely better than using Windows and Google.

  20. Dilligaf

    OK. Consider this those of you that don’t have or have removed an account with FB, at some point someone WILL create an account with those details and assume ‘an’ identity on the internet and I am confident that at some point, the systems that require you to provide the 100 points of supporting information (credit cards etc) WILL accept a FB account as proof of who you are and then the ‘sun’ will start.
    Think not? Well how many sites now allow you to sign up using either your google or FB accounts.

    Social media is not and probably will never be ‘policed’ as the scope of operation and diversity makes it near on impossible to do, sobering isn’t it?

  21. PDCLarry

    I have never had a Facebook account. Thank you for confirming my decision.

  22. Scott

    I created my fb account quite some time ago but barely used it. When I met my (now) wife in 2011 I became a heavier user, because she and her friends were all on it regularly. But I got tired of the time suck, and then when the Snowden thing went down I decided to take online privacy seriously. I haven’t posted to the account since, and I’ve deleted the content I have on there. I haven’t deleted the account, partially because doing so is pointless… as MrB says above, they’re tracking me anyway. So I might as well at least keep my flag planted.

  23. FI IT

    This is an unintended consequence of all the heat and focus on policing “hate speech”. While the attention of the MSM and public is aimed at policing speech, actual crime is going unchecked, and largely unnoticed outside the tech and financial worlds.

  24. Mahhn

    I do have a FB account. It is my social interaction with friends (that I know in person) around the world.
    These simple guidelines help me keep it safe (yeah I never wrote them out before):
    1. The criminals are monitoring you, never mention you are going any place, It’s okay to mention you are back and had a great time.
    2. The law is monitoring you, never mention anything that “could” be a crime in your country.
    3. Never give out your present location (see 1.)
    4. Never friend someone you don’t know in person, and are absolutely sure it’s their account. (less you have a business/group page – not personal)
    5. It is a data harvest, We are the product. So ONLY put information you want to have in your Life Log (CIA) profile. If you ever get blamed for some crazy crap you wouldn’t do – or would do – your profile will likely confirm your attitude on the subject.
    6. Don’t be to serious all the time, it’s no fun.
    7. Fact check before you repost that meme, it’s likely 1/2 truths at best, created to anger and divide people – it works.
    8.-10. make up your own rules, remembering the above as a baseline.

    1. ThursdaysGeek

      I’d never written out my rules either, but they pretty much match yours!

    1. JimV

      Yeah, right — like ANYthing pulled from the ‘Reason Foundation’ website has a lick of non-neofascist sensibility to stand upon.

  25. Mahhn

    Yeah, I report profiles and post all the time that are clear violations of TOS, mostly hate groups.
    A couple days later auto reply comes in: Facebook had reviewed bla bla bla and we don’t care you little cow, get back to looking at adds.

  26. K.H.

    I only use the Book of Faces to talk to my fiancee out of the country. I don’t use my real name or any of my real information, I use a picture of a cartoon for my profile picture and don’t let anyone but “friends” see any info. Friends are limited to my fiancee and her family. Seems to work well. Harvest that Zuckerberg…

    1. vb

      Covering your eyes is not a solution.

      The first time someone tags you in a photo with your real name, FB will know who you really are. Then, everything your “fake” account has done will be attributed to the real you.

  27. James

    Like others that have posted here, I’ve never had a FB account. However, FB knows a great deal about me and perhaps about some of the other folks here that have never had an account.

    I’ve got several family and friends that use FB, some have left, or at least minimized their usage, while others continue to struggle with the addiction to social media for a variety of reasons and justifications.

    Because of that usage by friends and family, I am by proxy (or reverse proxy) known to FB. But what rights do I have in that case?

    So I continue to educate my friends and family on the importance of privacy and information protection. And not to look at how they use the platform for themselves, but how FB and a host of third-parties use the platform. So hopefully they understand, that when they post a pic to FB or Instagram, they may be sharing a lot more information than realized and may be infringing on someone’s privacy… if such a thing exists anymore.

    http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220180332140%22.PGNR.&OS=DN/20180332140&RS=DN/20180332140

  28. Pete

    I closed my FB account after 2016 election, spent way too much time on it, decided it was inherently corrupt. Dont miss it, good riddance! Wish I could convince more people to do the same.

Comments are closed.