Cisco Talos researchers have identified more than 70 hacking groups that operated as online marketplaces and exchanges on Facebook, which the social media giant has now removed.
The Talos researchers had been tracking the groups for several months. Following notification of Talos’ discovery, Facebook took down the malicious accounts for violating its policies. "These groups violated our policies against spam and financial fraud and we removed them," a Facebook spokesperson said. "We know we need to be more vigilant and we're investing heavily to fight this type of activity."
Some of the groups have operated on Facebook for as long as eight years, attracting hundreds of thousands of followers. In Talos’ recent investigation, the 74 tagged groups promoted to some 385,000 members malicious activities ranging from trading in stolen bank card information to spam tools.
“Instead of wheeling-and-dealing using hidden servers on some mysterious dark web address, a surprisingly large number of cyber scofflaws prefer to operate right out in the open using social media,” Talos researchers Jon Munshaw and Jaeson Schultz in a blog post. “Talos saw spam from services advertised in these Facebook groups show up in our own telemetry data, indicating a potential impact to Cisco customers from these groups.”
In a similar instance a year ago, prompted by a KrebsonSecurity investigation Facebook dismantled roughly 120 private discussion groups totaling more than 300,000 members who used the platform on average for two years to help hackers launch a variety of attacks, such as spamming, wire fraud, account takeovers, denial-of-service attack-for-hire services and botnet tools.
In some ways Facebook is the ideal host for these hacking groups. Anyone with a Facebook account can easily find them and once the visitor lands on the page the social media platform’s algorithm refers them to other, similar pages as it does with “friends.” Inasmuch as many of the nefarious accounts have been active for years, it doesn’t appear that Facebook users are too eager to report them for carrying on illegal activities.
Talos said it tried to remove the accounts through Facebook’s reporting function to mixed results. Of note, as Facebook’s security team removed most of the malicious accounts, new ones appeared. “Talos continues to cooperate with Facebook to identify and take down as many of these groups as possible,” the researchers said.
What’s to be done to ferret out and remove malicious accounts? Here’s what Talos recommends:
- Social media platforms should continue their efforts, both manual and automated, aimed at identifying and removing malicious groups.
- Security teams and vendors must work together to actively share information, take action and inform our customers.
- Businesses need to be diligent about their protection and cyber hygiene efforts.
- Consumers need to become as informed and skeptical as possible. Attacks like spam prey on the individual as an entry point.
