Part one of our story looked at Facebook users’ growing lack of privacy and the abuse of their personal information. Part two looks at the rising tide of criminal activity on Facebook from the end of 2013 to the present.
Let’s start on a positive note, with a bit of good news about one kind of illicit activity on Facebook.
In 2013, it was not difficult to find a variety of firearms for sale on Facebook pages; the lethal weapons were available for purchase with little in the way of background checks required, so long as the purchaser’s money was good.
Since then, the Facebook pages where guns were openly sold to all comers have largely vanished. While there are plenty of Facebook groups, both open and closed, where firearms are the primary topic, all of those I visited either carried the warning, “Absolutely No Gun Sales,” or some version of “All Gun Sales Require a Valid License and Full Compliance with State/Federal Law.”
It was clear from the change that Facebook has been policing the firearm forums for terms-of-service violations. This atypically positive sign of Facebook being a solid corporate citizen was quite refreshing, if only because of how rare an experience it proved as my research continued.
And yes, unfortunately, it was just about the only significant improvement I saw over the last three years.
When I spoke to him at the end of 2013, Eric Feinberg was wicked pissed at Mark Zuckerberg, and not afraid to tell people about it. At the time, Feinberg was running EyeOn Intellectual Property as well as the Facebook page, Fans Against Kounterfeit Enterprise (FAKE). He was also one of three coauthors of a study entitled “Cybercriminals Leveraging Facebook.”
As Feinberg put it, “When you log onto Facebook, you put in a password, which makes you feel secure, like you’re home. You tell Facebook what you like, join groups for your interests, maybe fashion for women, or sports for guys. Then sponsored ads, which Facebook makes money from, start popping up in your news feed for the kinds of things you’d probably like, sports jerseys for men, fancy purses for women. You don’t know the ads aren’t from a real seller. You don’t know Facebook is doing almost nothing to make sure the ads are legit. You don’t know they’re not selling anything at all. They’re just scams to get your credit card, Western Union, or Paypal information.”
Feinberg, whose emotions ranged between irritation to outrage while we talked, complained, “I’m from the advertising world. What Facebook is doing here, in making money off of fake ads and doing nothing to ensure the ads users see are legitimate, that’s criminal. It is fraud. I’ve been in contact with Facebook repeatedly. They haven’t responded when we told them about the huge number of bogus sites and bogus ads.
“They make it nearly impossible for any owner of intellectual property, or any brand being infringed upon, to report the fake sites. Facebook wants a screenshot of the bogus link, AND a screenshot of the redirect page, AND then a screenshot of the destination page selling the nonexistent goods. Here is the catch: they want all three items, which appear on your computer screen sequentially in the space of a second or two, grabbed in a single screenshot. Almost nobody knows how to do that.
“We surveyed 400 posts and ads related to NFL jerseys, Ray-Ban sunglasses, and Louis Vuitton handbags. More than half were bogus, and of those we surveyed, only two percent got taken down during our study.”
Feinberg went on to detail some of the hallmarks of the scams and where they’d likely to be found, so I went to look around myself. One of several pages Feinberg mentioned was NFL Pro Bowl Fans.
Sure enough, when I went to the Pro Bowl page, I immediately found a link to an “Angie Lee” with all of the hallmarks of fraud Feinberg and his colleagues had found.
“Angie’s” profile has existed for less than six weeks, and while she was a member of 100+ open sports-related forums, to which she regularly posted links to sites allegedly selling sports jerseys, she had no profile photos, nothing besides “buy jerseys here” posts on her timeline, and no friends.
In fact, when I looked at the open forums in which “Angie” and other suspect profiles were active, it was easy to see that most of the profiles that regularly posted were fake profiles designed to lure legit forum members (the minority) into pitfalls of one sort or another, either selling something, or redirecting Facebook users to particular sites in Costa Rica, likely to upload spyware or malware onto the visitor’s computer.
Feinberg’s associate Frank Angiolelli, one of the coauthors of the “Cybercriminals Leveraging Facebook” report, used more clinical terms than Feinberg in describing the amount of fake commerce fraud on Facebook, but noted that it was getting very bad, very fast. “The scams on Facebook are on a diauxic growth curve, like a cancer that multiplies until it kills the host.”
While the fake commerce links were the most numerous scams on Facebook, they were by no means the only scams Angiolelli found. Others included payday loan scams and money mule scams, in which people hoping to get “work from home” jobs are tricked into helping money launderers move stolen money.
While only Facebook has access to the raw data that could create a reliable figure of how much money they earn from ads flogging non-existent or counterfeit goods, according to a study by Italian researchers Andrea Stroppa and Carlo De Micheli, the criminals posting fake ads on Facebook were making an estimated 200 million dollars a year by posting the links.
In late 2013, the same year the study was published, the FBI’s Computer Crime Center said non-delivery of goods was the number one reported online crime.
The fake ads and scams were also prominently mentioned in the letter sent to Facebook by Norway’s Ombudsman described in part one of this story. To refresh our readers’ memories, that letter recounted a meeting with Facebook staffers who agreed there was a major problem with fake ads and scams, and that they “will remove them on a case by case basis…when they are reported.”
So, a company famous for creating algorithms to precisely categorize every online move made by their users (the better to package them for targeting by advertisers) was advocating a case-by-case policing approach, including a triple-screenshot-in-one requirement, which might or might not then prompt a Facebook staffer to look into that one bogus ad link?
One could be forgiven for wondering if this approach is the most efficient or practical way to eliminate scams—multiplying at a near-exponential rate—on a network with 1.4 billion users.
To see whether any progress had been made in the last few years on the issue of fake profiles posting links to bogus items, I started revisiting the same Facebook pages I first visited in 2013.
None had. On the NFL Pro Bowl Fans page, the percentage of fake profiles was, if anything, even worse. I examined the five most recent postings and looked at who posted them.
The profile of user “Antony Roberts” had almost no information or activity in his timeline, although he belonged to numerous make-money-online/marketing groups. He posted three of the five most recent posts, the first about the English Premier League (i.e. soccer, not US football or the Pro Bowl). Antony’s other two posts were links to bogus news stories about the deaths of Jack Nicholson and Queen Elizabeth, both of whom are still among the living. The posts included fake photoshopped pics which supposedly led to non-existent CNN and BBC stories, but actually redirected users to a clone of the website of the UK newspaper The Guardian. The clone site, The Guardians, had many other faked stories of celebrity deaths posted, including an exclusive for the (not actually) dearly departed Sharon Stone.
While Antony Robert’s motives for posting links to sensational fake stories aren’t known, one common reason for posting clickbait linked to clone sites is to allow clones sites to upload malware onto a visitor’s computer.
The second person posting to Pro Bowl Fans, Ryan Williams, was selling NFL-themed smartphone cases, and had a profile just as sparse as Antony’s.
The profile of Yizhou Huang, the third person to post, was almost blank, except for a stream of posts to NFL Pro Bowl Fans hawking NFL jerseys, just like Angie Lee had three years before.
In other words, all of the five most recent posts from NFL Pro Bowl Fans were from obviously fake profiles with bogus links. None of the posts had any current Pro Bowl news or gossip, the ostensible purpose of the group.
At the end of 2013, Michael Baffa was an investigator working on intellectual property protection for the Motion Picture Association of America (MPAA). He was just as puzzled as Eric Feinberg as to why Facebook wasn’t making better use of available technology to weed out activity on Facebook that clearly violates copyright law.
As we sat together, Baffa took me on a virtual tour of some of the worst ripoff pages on Facebook, including Vodly and The Pirate Bay. “Facebook is filled with infringing fan pages,” he said. “Some of the pages on there have links to hundreds of stolen movies for users to download or stream.”
Continued Baffa, “When we (the MPAA) complain to Facebook, ‘Hey, there is an infringing fan page that drives traffic to illicit sites pirating our movies,’ Facebook will only remove that specific link, and ignore the hundred other links on the same page unless we do a specific complaint about each of them, too. In the rare cases they do take down the fan page of a repeat infringer, an identical one will spring back up on Facebook within hours.
“Those links, when people click on them, sometimes lead to sites off Facebook where people can watch pirated movies. But the links also frequently lead to sites where people click a play button hoping to see a free movie. Instead, they’ve just uploaded malware onto their computer.
“Facebook can stop links to things like child pornography, so Facebook clearly has filters in place; they’re too sophisticated not to. Why are they making us manually and individually search for and report copyright violators? They have the data, they know the IP addresses of the routine violators. Why don’t they just block them? It makes no sense.”
Revisiting the pages almost three years later, I found that Vodly and The Pirate Bay were both still there, although there had been some changes. The Pirate Bay was now called “The Pirate Bay Unblocked for You” and neither Facebook page posted links to pirated movies any longer. Instead, the Vodly and Pirate Bay Facebook pages just posted a single link to their web sites, which contained all the pirated movies previously listed on the Facebook page.
So, after the MPAA fought for years against copyright-infringing pages, instead of permanently blocking known chronic offenders, Facebook remains a launch pad for massive infringement. Pages like Vodly and The Pirate Bay are allowed to persist, as long as they keep the links to stolen movies one click away from the Facebook page.
Most of us don’t have a lot spare sympathy for the travails of corporate behemoths like billion-dollar Hollywood studios which stand to lose millions from Facebook’s lax and cumbersome enforcement.
Of far more relevance in the day-to-day life of the average Internet user, regardless of whether they are on Facebook or not, is that Facebook is increasingly used to facilitate “old-fashioned” crimes like fencing stolen goods, extortion, prostitution, and human trafficking, as well as online crimes like stalking, id theft, and sextortion.
While it may be a good thing that some of the shadier gun sales are now be curtailed on Facebook, these days, we’re all a lot more likely to be “jacked” at the point of our own computers than at the point of a gun.
A lot of recent tech coverage has delved into the hacking tools for sale on the “Darknet.” Would-be hackers have to identify the hidden sites on the anonymizing Tor network, sites which cannot be found with conventional search engines like Google. Once the site is located, the neophyte hacker wanting to add to his or her bag of dirty computer tricks has to be vouched for by other cybercriminals or black hat (i.e. malicious) hackers that are already members of the forum. Only after the newcomers are accepted can they learn the advanced hacking techniques and buy the latest cutting edge hacking tools.
Much as it sounds like the beginning of a dystopian novel of the cyberpunk genre, such forums do exist and access to them is jealously guarded by the criminal networks that maintain them.
But really, what a lot of work for aspiring cybercriminals! It is sooooo much simpler just to go to Facebook. In 2013, I found the Facebook page “Botnet & Sourcebot & Trojan & Virus & Keylogger.”
The page’s users were advertising and exchanging a wide variety of malware and spyware tools for illegally hacking anyone online. The forum made no pretense of being just for “white hats” or “ethical hackers” who use hacking tools only for the legitimate use of online security penetration testing. No, it was clearly a market for wares that were not only illegal, but specifically designed to perpetuate online crime, which could easily be turned on legitimate Facebook users.
As of March 26, 2016, “Botnet & Sourcebot & Trojan & Virus & Keylogger,” was still up and offering hacking tools for sale and swap.
But it does not just stop at hacking tools and tips. An updated price list, helpfully posted by “David John” three hours before I revisited the site, included such items as bulk stolen credit card numbers, passwords to high-dollar bank accounts, and access to verified Amazon and eBay accounts. The list of offerings wouldn’t have been complete without how-to tutorial for neophyte hackers to learn how to cash out stolen credit cards and bank account info. It concluded with links to two other closed Facebook forums controlled by David John, including one entitled “World Hackers—All in One Roof,” which proclaimed its purpose as teaching interested Facebook users how to hack PayPal, eBay, and Western Union accounts.
For Joshua McAfee, founder of the McAfee Institute, a leader in anti-cybercrime training, the question which has puzzled him for so long about Facebook is: “Why does it allow so much activity that is both clearly criminal and clearly violates Facebook’s terms of service?” (Full disclosure: I used to be unpaid member of the McAfee Institute’s advisory board.)
“You hear about an innocent photo being pulled down of a mom breastfeeding because the violates their terms of service, but just type ‘escorts’ into Facebook’s search bar, and what do you find? ‘Escorts 5’ with plenty of naked pictures of prostitutes and more than 5,000 likes. It is not like they are hiding.”
In 2013, McAfee explained, “I’ve been involved in more than 1,000 human trafficking investigations. Stuff that shows all the signs of human trafficking is now on Facebook. A few months ago I was training some Indiana police, and as part of the training, we typed in ‘Sex for Sale’ on Facebook.”
“We found someone claiming to sell sex in Indiana, so the local cops set up a sting, and a teenage girl showed up. Turns out she’d run away when she was fourteen, a stranger picked her up and told her he’d take care of her. Then he chained her in his basement for two and a half years. And used Facebook to pimp her out.”
A little experimentation quickly finds that “escort/escorts” as a search term brings up far more pages using Facebook to sell sex than it does admirers of Ford’s venerable economy two-door sedan.
McAfee continued, “Facebook is also popular for ‘sextortion.’ I worked a case recently where a guy created a fake profile pretending to be a teenage girl. He then become friends with teenage girls on Facebook near him, and manipulated them until he got a revealing photo from the girls, and then threatened that unless he got more explicit photos, or they agreed to have sex with him, he was going to send the first photo to her family and schoolmates. That’s one of the things that makes people so vulnerable: you have no idea who you are really talking to on Facebook.”
When updating my research for this story with the current state of play in 2016, I saw that both the “Escorts 5” page and the “Sex for Sale” page were down…but there were still many, many flesh-peddling pages on Facebook. Type in any major US or global city and “Escort” and you are quickly brought to Facebook pages advertising, as the novelist Terry Pratchett used to term it, “ladies of negotiable affection.”
Despite the sex crimes and human trafficking Facebook is used to facilitate, McAfee’s initial interest in Facebook came from his background combating organized retail crime rings for major retailers. “Over time I’ve seen the evolution of crime move from platform to platform. As Amazon and eBay have tightened up their security, more has migrated to Facebook. There are all kinds of individuals, groups, and forums selling stolen goods on Facebook. We just took down a ring of iPod and iPad thieves selling stuff stolen from a major electronics retailer.”
When asked if Facebook was responsive to complaints about crime, McAfee commented, “I’m in contact with both cops and investigators all over the loss prevention industry. They all tell me the same thing: they complain to Facebook about criminal activity, and they get back silence.
“One thing we did when I was working loss prevention at a major online retailer was look at people selling stolen merchandise. They’re not hard to find; they sell new stuff for way under retail. We started to block the MAC addresses of the criminals. Since MAC addresses can’t be changed without swapping out computer hardware and MAC addresses are hard to spoof, it is a really effective way to block criminals’ access to a network.
“When we did that, we saw criminal activity drop 89% on the retailer’s network. Facebook could easily do that, too. I don’t know why they don’t.” [Editor’s note: MAC (Media Access Control) addresses are unique IDs hardwired onto network devices such as wifi cards.]
Facebook has been attempting to crack down on fake profiles since at least 2012, but as far as I can puzzle out from press accounts, these efforts have concentrated on blocking masses of fake Facebook followers created by companies offering to boost a commercial entity or celebrity brand.
When Facebook started going after these fakes, the singer Rihanna lost 22,000 followers overnight, while Lady Gaga lost 32,000. (When Facebook-owned Instagram started doing the same, not just tens of thousands, but millions of bogus followers evaporated instantly for celebs like Justin Bieber. Instagram lost 29% of it users overall in one day.)
In 2014, Facebook put the tally of fake Facebook profiles at somewhere between 5.5 and 11.2 percent, a rather vague estimate given that the spread represents over 70 million potentially fake profiles.
While cracking down on fake followers and likes is certainly a legitimate goal for Facebook’s security, the primary harm of inflated celebrity or brand numbers is that they hurt Facebook’s ad revenues (as opposed to actual Facebook users). This is because the number of authentic followers or likes a person, product, or brand has affects how much an advertiser is willing to pay Facebook to reach that audience; advertisers had begun to realize that many of their ads were going to digital ghosts.
In a long-overdue move that may finally provide some identity protection for real users, Facebook says it will soon implement a security measure to alert a user if a duplicate of their profile has popped up somewhere.
While this is definitely a step in the right direction, it won’t protect Facebook users from crimes perpetrated by criminals whose tactics do not include copying a real profile. It won’t stop crimes committed from entirely fake profiles, like those in the NFL Pro Bowl Forum. It will do nothing to slow retail scammers whose revenue model isn’t based on large-scale sales of fake followers or likes, or impersonating real users for nefarious ends.
Per those previously-cited 2014 stats, while Facebook may be rather vague on the number of fake profiles on their social network, according to Marc Goodman’s Future Crimes, up to 600,000 Facebook accounts are compromised every day.
The Price of Civilization
Facebook began as a huge virtual town square, a convenient place to meet your family and friends and share what is going on in your lives (while also sharing it with Facebook, who lies to you about what they are collecting, and then sells it to whoever they want, as we discussed in part one of this story).
Rather than deploying a robust virtual police force to protect legitimate users in that town square, Facebook mostly relies on users self-policing by reporting violators, and passively expects individuals to abide by terms of service that are, in reality, little more than widely-ignored admonitions to “be polite and play nice with others.”
Given their mastery of big data, Facebook could easily create algorithms to crack down on much of the crime that it passively facilitates. Facebook has done it with the gun forums, and has been proactive in blocking child pornography as well, so we know the company can use big data and algorithms to eliminate criminal activity when it wants to.
It could, for example, do a much better job at looking for the commonalities among the fake profiles used for nefarious reasons, and automatically delete the vast majority of the fakes, not just those selling fake “likes” en masse, or copying pre-existing profiles. It could take similar measures with pages and groups that egregiously violate intellectual property, instead of forcing individuals and businesses to laboriously submit (often ignored) individual complaints. It could also delete pages, like the “Botnet” page, that have been openly purveying the tools of computer crime and selling stolen financial information for years.
For whatever reasons, despite a legion of ongoing complaints, Facebook isn’t doing that. Perhaps, as one computer security professional put it (who declined to be named for fear of retaliation), Facebook’s laxity boils down to a very simple financial consideration, “There is no money for Facebook in cracking down on crime on Facebook.” If that professional is right, until Facebook suffers serious damage to their bottom line as a result of their grossly negligent inaction, that inaction will continue.
Unfortunately, that means the notion of Facebook as an idyllic town square, where earnest residents gather online share their lives, becomes less accurate by the day. A more apt metaphor may be that Facebook is devolving into a cyber-watering hole in a vast online savannah. As unsuspecting prey gather to drink their fill and socialize with their herd-mates, more and more predators lurk nearby, concealed in the tall grass, drooling at the anticipated feast and above all, because of Facebook’s chronic inaction, supremely confident that the unsuspecting prey won’t see them coming until it is far, far too late.