A search for “CVV credit card” on Facebook just now brought up Facebook groups offering credit card numbers for sale. (The “CCV” refers to the security code found on the back of credit cards). Yet, this is not a unique event; criminal activity is pervasive on Facebook.
According to Cisco’s Talos security unit, Facebook is home to cybercriminals selling card numbers, stolen goods, and hacking services right out in the open. They do this by creating Facebook groups that are easy to find through simple searches. Talos reported finding 74 groups totaling almost 400,000 members two days ago.
Talos noted, “The online black market offering cybercrime goods and services are using obvious group names, including ‘Spam Professional,’ ‘Spammer & Hacker Professional,’ ‘Buy CVV On THIS SHOP PAYMENT BY BTC,’ and ‘Facebook hack (Phishing).'” In other words, all of this is easy for anyone to find.
But Facebook makes it even easier for the cybercriminals. Once they find a group, Facebook offers suggestions of other similar groups for them to join using their algorithms.
This is not a new problem for Facebook. Last year security journalist Brian Krebs made a similar discovery and reported that cybercriminals were using Facebook to promote their criminal services, much like what was just discovered. At that time Facebook shut down 120 discussion groups. They’re now back up using different names, but still easy to find.
Talos says, “Many of the activities on these pages are outright illegal. For example, we discovered several posts where users were selling credit card numbers and their accompanying CVVs, sometimes with identification documents or photos belonging to the victims.”
Other examples included groups selling email lists for spamming, services for transferring cash, and groups that offered fake IDs.
When PCMag questioned Facebook about this report, Facebook said that it shut down the 74 groups, and has removed pages affiliated with these groups. “We know we need to be more vigilant and we’re investing heavily to fight this type of activity,” said a company spokesperson, noting that Facebook now has a team of 30,000 people devoted to safety and security.
These findings come on top of the criticism the company is facing for not doing enough to stop fake news, hate speech, and conspiracy theories. Now add cybercriminal activity to their list of special added attractions. What this all points to is that Facebook has created a giant community, much like a virtual city or country, but fails time after time to adequately police it, tarnishing the entire endeavor. For too long Facebook has argued that the community is best policed by its own members reporting violations of their rules, but that hasn’t quite worked out as planned, and now Facebook faces the threat of serious regulation and huge fines.
In fact, when Cisco’s Talos group initially tried to use Facebook’s abuse reporting system to alert the company of the cybercriminal activities, their attempts were unsuccessful and they had to reach out to Facebook publicly to get a response.
But, what’s really criminal is Facebook itself. They’ve been warned time after time about illegal and other terrible activities occurring on their site, yet it all keeps occurring because, in reality, they just don’t care enough to fix it.