Facebook’s failure to moderate bad behavior on the sprawling online world it created, what with political trolls, extremist content, and livestreamed acts of horrific violence, has received a torrent of criticism. But researchers have found that the social media giant is also failing to police a far more basic and decades-old internet problem among its users: plain old cybercrime.
Researchers at Cisco’s Talos security division on Friday revealed that they’d uncovered 74 Facebook groups devoted to the sale of stolen credit card data, identity info, spam lists, hacking tools, and other cybercrime commodities. The researchers say those groups sat in plain sight, with names like Spam Professional and Spammer and Hacker Professional, attracting 385,000 members in all. Anyone could find them with a site search for basic terms like “carding” or “CVVs,” a reference to the security codes on the back of credit cards.
“Effectively, what we found was a huge number of Facebook groups openly trading crime stuff online,” says Craig Williams, Cisco Talos’ director of outreach. “The user base in these groups is basically the size of Tampa.”
“It’s ridiculous … This company operates on a set of rules that are backward and are only in its own commercial interest.”
Dipayan Ghosh, Shorenstein Center Platform Accountability Project
Screenshots that Cisco published in a blog post summarizing its findings capture Facebook users publishing pictures of purportedly stolen credit cards and IDs, offering lists of CVVs priced at $5 each, as well as collections of thousands of emails ripe for spamming and phishing—the type of data usually sold on dark-web markets or password-protected, invite-only hacker forums. Williams says many of the users he saw in those groups even appeared to be conducting business in Facebook’s cybercrime bazaars under their real accounts.
And finding the groups, Williams says, wasn’t particularly difficult: Once Cisco’s researchers identified a handful of them, Facebook’s recommendation algorithm offered them other groups with similar black market focuses.
This isn’t the first time Facebook has faced this exact problem. Last year, cybersecurity reporter Brian Krebs identified a similar-sized crop of Facebook cybercrime groups, totaling 300,000 members, and reported them to Facebook. Facebook banned those groups at the time, but it took less than a year for an even larger population of fraudsters and hackers to make homes on the site.
And while Facebook has removed the groups Cisco identified—after the researchers alerted the company to its findings—its cleanup remains incomplete. In a few minutes of searching, WIRED found users and groups with names like Carder Philippines and Anonymous Carding India openly hawking credit card information, along with what appeared to be stolen goods like cameras and iPhones bought with hijacked ecommerce accounts.
“If you see 10 cockroaches and you kill them, is that the end of your problem?” Williams asks. “It will be very difficult to find them all, once these bad actors establish that they like your platform.”
A Facebook spokesperson wrote in a statement to WIRED that “these Groups violated our policies against spam and financial fraud and we removed them. We know we need to be more vigilant and we’re investing heavily to fight this type of activity.” Facebook adds that most of the groups were fairly new, created just in 2018. And it notes that it has both banned the accounts of users associated with these groups and taken measures to prevent the owners of those accounts from creating new groups on the site.
But for Facebook’s critics, the cybercrime markets infesting the site are only the latest example of the company’s negligence when it comes to moderating and policing its billions of users. Dipayan Ghosh, a former Facebook staffer who now works at the Harvard Shorenstein Center’s Platform Accountability Project, sees it as another sign that Facebook can’t be left to regulate itself.
“It’s ridiculous, and it just goes to show that this company operates on a set of rules that are backward and are only in its own commercial interest,” Ghosh says. “Until and unless we change the rules of the game through evenhanded regulation, this isn’t going to stop.”
More specifically, Ghosh says that it’s time to make changes to Section 230 of the Communications Decency Act, which protects social media sites like Facebook from liability for the content their users share. “I do think the time has come to rethink 230, to make changes to it that better protect us with respect to our safety and our security, including the protection of our identities,” he says.
Facebook does have the ability to proactively weed out behavior it finds unsuitable on its platform; it recently, for instance, instituted a ban against white nationalist content. It has also made clear its intention to eventually shift its platform to prioritize private, encrypted interactions, which would potentially allow cybercrime groups to operate under its auspices without fear of detection.
But Cisco Talos researcher Craig Williams argues that for now, the only fix is for Facebook to tighten its moderation, and for users and outside auditors to hold it accountable. “This requires a collective effort—from Facebook, from users, and potentially from security companies like us—to keep these actors off social media sites,” he says. “It’s going to require constant vigilance.”