Cisco Talos Finds Criminals Hiding in Plain Sight on Social Media

Cyber-criminals aren't just hiding on the dark web. Many are also operating openly on social media sites like Facebook, according to new research from Cisco's Talos research unit.

Cisco Talos Facebook

While there is no shortage of talk about the "dark web" where hackers use hidden sites to sell and exchange criminal tools and services, Cisco's Talos security research unit found that there are literally hundreds of thousands of people interacting with cyber-criminal services in plain sight.

In a report released on April 5, Cisco Talos revealed that it discovered 74 groups on Facebook that were engaged in different types of cyber-criminal related activities. Across those groups, Cisco Talos estimated that there were approximately 385,000 members. These are groups where anyone who conducts a search to find them is able to engage with a criminal to acquire various services, including spam, phishing, credit card and other types of illegal activities.

"Facebook isn't the only platform used by scammers … other popular social sites are being targeted as well," Craig Williams, director of Talos Outreach at Cisco, told eWEEK. "Criminal conduct is a problem for all social media platforms, the larger and more popular the platform the more likely it is to be abused."

Williams said Cisco Talos reported the 74 groups to Facebook using a number of approaches. Initially, the Cisco Talos researchers simply reported each group individually via Facebook's abuse reporting functionality. Facebook did not, however, remove all the groups that were reported, so Cisco Talos followed up directly with the Facebook Security team, which subsequently took down the full list of malicious groups.

The Cisco Talos disclosure that criminals were acting in plain sight on Facebook is not the first time that the social media site has been used by attackers. A year ago, in April 2018, researcher Brian Krebs identified multiple groups on Facebook that were conducting cyber-criminal operations. Those groups were shut down at the time by Facebook, though, according to Cisco Talos, they have since re-emerged.

In fact, according to the report, some of the groups identified by Cisco Talos that have now been taken down by Facebook were somehow able to stay active on Facebook for up to eight years. While the various hacker groups have been successful at staying alive, what is not clear is how successful the groups have been at actually exploiting victims. The report notes that there are often complaints posted by group members who have been scammed by other group members. 

How Cisco Talos Found the Hacker Groups

Cisco has a vast portfolio of security tools and services. Cisco Talos in its research was able to conclusively link malware and phishing services offered for sale on the various Facebook criminal groups with activities it saw using the Cisco Threat Grid and Umbrella platforms. 

While Cisco Talos could correlate the Facebook hacker group activities using Cisco technologies, Williams said the researchers actually found the hacker groups on Facebook manually, without needing any sophisticated tools. Additionally, Williams noted that Cisco Talos is not using Facebook as some form of honeypot or deception vector to trick and track attackers. 

"Cisco is committed to helping social platforms like Facebook and others address this criminal activity," Williams said.

Fixing the Problem

Facebook has had no shortage of challenges on its platform lately, including its own set of security missteps. In Williams' view, the abuse of social media by hackers isn't just a Facebook issue; rather, the issue at large is that criminals are abusing free social media platforms for their own gain. 

Facebook and other social media platforms typically have some form of abuse-reporting functionality. Williams said that working with the community remembering "if you see something, say something" can help everyone be safer online—especially on social media. 

"People who abuse social media are like cockroaches," Williams said. "If you aren’t diligently working to exterminate every single one, they will keep coming back."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.