Facebook is the place to reconnect with old high school friends and if so desired, connect with internet crooks.
The social network has become a relatively predictable place for cybercriminals — or scofflaws — to congregate in online marketplaces that are "shady (at best) and illegal (at worst)," according to a report from Cisco Talos.
"Spam Professional," "Spammer & Hacker Professional," "Buy Cvv On THIS SHOP PAYMENT BY BTC," are some of the so conspicuous groups advertising services to Facebook users. Some of the groups have built members reaching the tens of thousands, according to the report.
Bad actors' lack of disguise speaks to their desire: They want to be easy to find. Running a search with keywords like spam, carding or CVV will turn up a corresponding group.
Facebook is inadvertently publicizing more hacker groups with algorithms that suggest similar groups during the search. There are no real long term consequences if these groups are discovered, according to Craig Williams, director of outreach at Cisco Talos, in an email to CIO Dive.
Talos tallied 74 groups on Facebook that had members willing to commit "an array of questionable cyber dirty deeds," according to the report. The social site "seems to rely on to users to report these groups," according to Cisco Talos, otherwise nefarious activities can continue.
Talos tried reporting them as a normal user through Facebook, which resulted in several immediate take downs, while other groups had only specific posts removed.
The researchers eventually had contact with Facebook's security team and a "majority" of the groups were dismantled. The frequency of new groups cropping up, however, makes it an endless task.
Investigative security reporter Brian Krebs highlighted the presence of dozens of malicious groups in 2018, as a result, Facebook removed the groups. Talos later found that groups with "remarkably similar, if not identical" names reappeared.
The obviousness of bad actors' actions and Facebook's faulty detection process makes the solicitors "either very smart or very stupid," said Ariel Ainhoren, head of threat research at IntSights, in an email to CIO Dive.
The smart ones will use a VPN, proxies or TOR for identity protection otherwise solicitors' best bet is "the disinterest of law enforcement" or located in a foreign country for additional defense, said Ainhoren.
More regulation?
The argument for Facebook to do better about vetting and tracking nefarious groups is clear but doing so may give more power to the already-scrutinized social network. Further supervision on the platform inevitably requires more intrusive behaviors on personal data, according to Ainhoren. Then there are the possible free speech implications for removing groups and posts.
Social media sites and apps were not designed for law enforcement. It's a strange juxtaposition: social media created platforms that can be used for illegal activity but lack the controls to mediate it.
Facebook is "a financially motivated company," said Ainhoren, so "if nobody points a finger and the users and platform profit from the all-round activity, they have no financial motivation to take these groups down."
Social media sites like Facebook provide hackers-for-hire a forum to advertise and solicit skills. On the other hand, more in-depth marketplaces are found on the dark web. The dark web consists of virtual replications of eBay, with bazaars selling ransomware variants, talents, DIY cyberattack launch kits, and almost any other good or service.
Unlike the dark web, Facebook is an easier platform to reach potential clients.
"Wherever their target audience is, that's where they'll go," said Ainhoren. It's not uncommon for Facebook users to boast about new credit cards in pictures, making credit card number harvesting rather effortless.
It's also easier to offer up "already stale and unusable" goods, he said. The quality of goods and services offered on Facebook are different from many dark web offerings because it's reduced as soon as it's posted, though it can still serve as a necessary "shop front" from more secure avenues.
Switching IP's, using proxies or masking their location allows bad actors to reopen a closed group or account, which adds to their confidence, said Ainhoren.
Twitter in particular leaves a minimal trail of evidence for dealing with cyber activities because of the short lifespan of tweets, but unlikely platforms like Pinterest are also subject to this behavior.
"A lot of dark web users are teenagers and young people, so it's only logical they'll use the platforms they know best," said Ainhoren.