April 8, 2019

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.

Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.

Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.

“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”

But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.

Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.

Instead of reporting those emergent groups directly to people at Facebook’s public relations arm — something most mere mortals aren’t able to do — KrebsOnSecurity decided to report the re-offenders via Facebook’s regular abuse reporting procedures.

What did we find? KrebsOnSecurity received a series of replies saying that Facebook had reviewed my reports but that none of the groups were found to have violated its standards. KrebsOnSecurity later found that reporting the abusive Facebook groups to a quarter-million followers on Twitter was the fastest way to get them disabled.

How else have Facebook’s public statements about its supposed commitment to security and privacy been undermined by pesky facts over the past few weeks?

  • KrebsOnSecurity broke the news that Facebook developers wrote apps which stored somewhere between 200 million and 600 million Facebook user passwords in plain text. These plaintext passwords were indexed by Facebook’s data centers and searchable for years by more than 20,000 Facebook employees.
  • It emerged that Facebook’s new account signup page urges users to supply the password to their email account so Facebook can harvest contact details and who knows what else. Yes, that’s right: Facebook has been asking new users to share their email password, despite decades of consumer advice warning that is exactly what phishers do.
  • Cybersecurity firm UpGuard discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.

  • Facebook is making users searchable by marketers and others via phone number, even when that phone number was only provided solely for the purposes of multi-factor authentication.

Once again, that old adage applies: If you can’t quite figure out how you’re the customer in a given online relationship, that’s probably because you’re best described as the product being sold to others.

I long ago stopped providing personal information via any Facebook account. But for my part, there remain probably three big reasons why I’m still on Facebook.

For better or worse, a great many sources choose to share important information this way. Also, sometimes Facebook is the fastest way to find a potential source and get their attention.

Secondly, many people unfortunately still get much of their news from Facebook and prefer to be notified about new stories this way.

Finally, I periodically need to verify some new boneheaded privacy disclosure or security screw-up manufactured by Facebook.

I would probably never delete my Facebook account, for the same reason I wouldn’t voluntarily delete my accounts from various cybercrime forums: For my part, the potential benefits of being there outweigh the potential risks. Then again, I am likely far from your typical Facebook (ab)user.

But what about you, Dear Reader? How does your Facebook cost/benefit analysis break down? Have any of the recent or not-so-recent Facebook scandals prompted you to delete your account, or to heavily restrict what types of information you store on the social network or make available to others? Sound off in the comments below.


63 thoughts on “A Year Later, Cybercrime Groups Still Rampant on Facebook

  1. Matt

    I nuked FB in 2014 but went back for a bit due to a car group that did all their coordinating via that site. In 2016 I nuked it again, along with all my other social media presences, apps (down to things like Yelp), etc. I’ve also been systematically nuking or modifying to make it useless information about me online on all the various people search engine data aggregators. Sites like this and a few forums that disallow account deletion entirely are what I have left. Honestly, I don’t miss it. There will always be another scandal. I’m happy to reduce my footprint and exposure thereto as much as possible.

  2. Rob

    Once on the internet always on the internet, I just stopped adding to them and let them drift into being outdated. The use of my phone number for 2FA being given to marketing teams though is spicy.

  3. acorn

    I have two FB accounts that I may use less than once a year, years pass, etc. FB is a site like some others that “I don’t much like” and rarely log into.

  4. CC

    I am too busy leading a mundane life to bother sharing it on FB.

    1. Anon404

      Facebook is tracking you even if you dont have an account. Ever notice that Facebook like button on many popular websites? Its a tracking tool. Even if you dont click it, it still sends data back to Facebook.

  5. Al G

    Note about a hacker who blackmailed porn users in the U.K. Worth an article about, since porn sites are apparently loaded with nefarious links.

  6. Luke

    The fact that Facebook can’t be uninstalled from an Android phone, doesn’t surprise me that they are letting anything through their “walls”.

    How much you want to bet the other factions of the company (Instagram & WhatsApp) are just as bad?

  7. Chrome Magnum

    Signed up for FB during Calif wildfires in 2017 to view a local’s video posts, using a fresh gmail and VoIP phone number. After a couple of days, nuked the VoIP number and never returned. I would never use FB as a real person. I don’t use FB, don’t miss it, and feel sorry for people who just phone life in.

  8. Richard Steven Hack

    I use Facebook for one reason only: as a Web site login method. Since so many sites allow you to login with your Facebook account, it’s more convenient than establishing individual logins. Of course, this is only for sites for which I don’t care if my login is compromised in some further breach.

    I set all my Facebook settings to “Friends Only” – and I have no friends – which is also true in my real life, but that’s another story LOL.

  9. J. Peterson

    I used FB briefly (under a pseudonym) to participate in a forum, but avoid it since that forum shut down. It’s so evil.

    Interesting, my kids (now in college) avoided it completely. They first went on-line with middle school accounts for doing homework, and wound up using G+ instead of FB. This clarifies why FB spent an absurd amount on Instagram; it was the only way to hang onto later generations.

  10. Derek

    I have never had a Facebook account. I suspected years ago that they were evil, and they’ve done a great job proving me right. So glad I never took the bait. Sure, I’ve probably missed out on a few reconnects from my past, but oh well.

  11. Ricki

    Has anyone tried Firefox’s Facebook Container add-in and/or the Facebook Purity app, both help stop tracking and ads. Not sure if even both together stop FB tracking 100%.

  12. dean

    Yep – I have reported dozens of scam site that exist on facebook. I get the same answer every single time. “it does not violate any of our policies”. I have not deleted my account as it is useful way of communication. I always think back to those happy days without smart phones or internet. People actually talked to each other.

  13. Randall McNeely

    I find it interesting that FB comes back with the answer that “it does not violate any of our policies.” Yet again they are showing their two-faced (no pun intended) double standard.

    I have several facebook pages, a couple of which are religious. A few weeks ago, I received an email telling me that my “Living Christ Project” page had been shut down for violations of FB policy. It is a Christian page and only shares teachings about Christ. If I try to find out what policy my page violated, I can’t get an answer. I have another religious page in which I share the same information and yet it has not been shut down.

    FB – allow criminals to thrive
    FB – shut down Christians who share positive, faith based messages.

    1. Bob

      It isn’t just Christians. It is anyone to the right of Karl Marx.

  14. Greg Baumbach

    I had a FB account for about six weeks quite a while ago. Work in the marketing biz, and did some work with FB data back in the early 2010s (same time I created my FB account). The utter lack of controls on that data and the scope they were carrying were outrageous, and I tossed my account immediately.

    Thankfully I have no reason to be on FB professionally.

  15. Anon404

    I stopped giving any personal data to Facebook shortly after they started opening everything up beyond ones local school groups. As soon as I heard Zuckerberg go on TV and state that people really dont want privacy and that everyone is looking to share their likes etc, I went on there and deleted almost everything but my name and some photos posted years previous. I started telling all my friends that Facebook should not be trusted, that they are selling all your data and that even private messages were not “private” to Facebook. People called me a conspiracy theorist, laughed me off etc. Most still dont acknowledge that I was right about them, years before the rest of the world caught on. I still keep my account, but it for limited uses.

  16. Bob Stromberg

    I somehow doubt that deleting your Facebook account actually deletes the data you have already given Facebook.

    1. If you have likes and responses and posts and replies on other timelines, does deleting your Facebook account delete those things as well? And if your post on another account’s timeline elicited replies and likes and responses from other user, do those users’ actions also get deleted?

    2. If you delete your Facebook account and law enforcement serves a subpoena to Facebook, is Facebook going to say, “Sorry that user deleted their account and we no longer have backup copies anywhere”?

    3. If you delete your account, and your email address gets hacked, what prevents the hacker from using your email address to re-create your account?

    4. How thorough are reputation services, which say they will clean up your online reputation?

    All these questions apply of course to any online service where you share information.

    I continue to use Facebook because for me it’s like an all-day bull session where I can share thoughts and ideas with some folks who are often smarter or better informed than I am. I long ago learned how to sniff out bias and disinformation. It’s not perfect but I know how to check sources and hold onto my scepticism.

  17. JMM

    > But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.

    They have to walk the fine line between “increase engagement no matter what” and “good PR”.

  18. norb

    better use fb only with 2nd or 3rd email accounts, no real name there, only pseudonyms

    that`s how i use it at least

  19. Nicole

    This points to the need for a third-party problem reporting system; it would be useful to have an impartial complaint aggregator to batch similar problems and evaluate the effectiveness of the platform’s responsiveness through its internal reporting systems. It would be especially nice to have one place for all complaints, and then these could be parceled out to groups of individuals who are willing to take action, local governments, and non-profits with an interest in specific issues.

    There are so many areas in my life where I would be happy to provide a string of constructive comments, but don’t have time to look into the process for making the correction in Wikipedia, or suggestion for Google Maps, or providing feedback to my local transit authority, or corrections for the news articles I read, or comments on area street signage (though my state senator is pretty good about taking comments in), or poor accessibility for disabled, etc. If it was turned into a publicly accessible dataset, it could provide opportunities for entrepreneurs, suggestions for improved website design, etc.

    I don’t often come across scams like those described here, but I would really like to know that there is a good mechanism for reporting them, so that the people who do notice these things can keep the bad actors in line.

    1. peter

      Third party problem reporting system: Sounds like a great idea. I’m also often irritated by stupid, simply to fix things but how do you make it known? Since I recently became unemployed I spent some time looking up email addresses to send remarks, complaints. But it’s useless, people are too busy or just not interested/motivated to make a traffic visible again that is completely overgrown or to correct mistakes on websites. Now I just make an edit on Wikipedia from time to time and try not to worry about the rest.

  20. Altshift Capslock

    Facebook? What’s Facebook? (or Twitter/snapchat/instagram/whatsapp/ . . .

  21. peter

    6 years ago, I created a FB account since ‘everybody was on FB’. But I didn’t like the herd mentality, people who expect you like their every comment and picture. So I started to turn back everything, delete pictures, unlike my likes, deleting comments and chats. After some time peolple said they couldn’t find me anymore 🙂 wonder what is left in their back-up’s?

Comments are closed.