Products and Solutions

Hiding in Plain Sight: The Growth of Cybercrime in Social Media

Feb 29, 2016 | by RSA |

Social media attracts all kinds. These sites are used for catching up with friends on Facebook, instant news dissemination on Twitter, partisan political viewpoints expressed in online forums, real-time reach outs on Snapchat, professional networking on LinkedIn - and now, not surprisingly, they're used as global havens for cybercrime.

Today, we are announcing the release of "Hiding in Plain Sight: The Growth of Cybercrime in Social Media," a research paper which focuses on the growing use of social media as a communication channel for fraudsters. The full report is available for download and details the efforts of the RSA FraudAction Research team, who by studying this phenomenon over six months, observed an exponential growth in the volume of visible fraud activity on social networking platforms, much of this occurring "in plain sight."

The goal of the study was to research the structure, format, and entry requirements for joining global cybercrime groups across the most popular social media platforms. We investigated how each platform operates, what restrictions or advantages they offer, and analyzed the statistics of how many special interest groups are out there and how many members they have.

Some key findings of the report include:

  • More than 500 fraud-dedicated social media groups around the world were studied, with an estimated total of more than 220,000 members investigated for this report. More than 60%, or approximately 133,000 members, were found on Facebook alone.
  • Most of the fraud-dedicated groups are very public - visible and open to all.
  • The types of information openly shared in social media include live compromised financial information such as credit card numbers with PII and authorization codes, cybercrime tutorials, malware and hacking tools, and cashout and muling services.
  • WhatsApp appears to be the newest fraud communication channel. Twitter, despite its worldwide popularity and proliferation, is not preferred as a fraud communication channel.
  • During the period of this study, we detected over 15,000 compromised credit cards (called 'CVV2 freebies' in fraudster lingo) publicized on social media networks.

Facebook's Global Fandom

With 1.6 billion monthly active users as of January 1, 2016, Facebook is by far the largest social networking platform and the most popular in approximately 75% of the regions in the world.

While one would assume that fraud dedicated groups might logically set their privacy settings to "secret" in an attempt to operate stealthily, we found that most groups operate under public or closed setting. Even in the closed groups, a simple join request is all that is required to gain access without the vouching process or references typically needed to join a fraud forum in the deep web.

On a global level, carding stands out as the most popular fraud activity, comprising 53% of the posts we observed. This includes buying and selling stolen credit cards ('CVV2' is by far more popular than 'dumps'), carding as a service, buying and selling carded items, carding tutorials as a service, buying/selling/exchanging carding methods, or the usual carding bragging and sharing live CVV2 data as 'freebies'.

Other Takeaways and Coming Attractions

In Part 1 of this research on global fraud over social media, we focused on the following regions: Brazil, India and Southeast Asia, Latin America, West Africa and France and other French-speaking regions. Part two of this series will examine cybercrime across the common social media platforms in Russia and China.

Although you would reasonably expect to find fraudsters operating on Facebook in the United States and Western Europe, fraudsters in these regions continue to operate in the underground and not on social media.

In recent years, international cooperation among law enforcement agencies in the United States and Europe has yielded many high-profile and much publicized cybercrime gang busts and apprehensions. Prosecution has been aggressive, carrying heavy penalties and jail sentences. This is most likely a key contributor to the sheer lack of open fraud groups within these regions.

Hiding in Plain Site: The Growth of Cybercrime in Social Media

RSA has fully disclosed all information contained in this report to Facebook prior to publication. We would like to recognize Facebook for working with our team to quickly remove the information and responsible parties from their platform. RSA has also notified and provided this report to the appropriate law enforcement agencies.

About RSA FraudAction

RSA FraudAction is a managed threat intelligence service which provides global organizations with 24x7 protection and shutdown against phishing, malware, rogue mobile apps and other cyber attacks that impact their business. Supported by 150 analysts in RSA's Anti-Fraud Command Center, the FraudAction service analyzes millions of potential threats every day and has enabled the shutdown of more than one million cyber attacks.

For more information, please contact