Online fraudsters have been found offering access to credit card details, networks of hacked computers, and other fraud "services" through Facebook, according to security researchers.
Posts on a Facebook group identified by cybersecurity firm RSA included a list of stolen identities that appear to have been obtained by one of the group's members.
The group has now been removed by Facebook, which said it was a violation of its rules. It was launched on 28 February this year and at the time of its closure had 163 "likes" and 20 regular contributors.
A Facebook spokesperson said: "Security issues, from malware to cybercrime, exist across the whole of the web. Although security consultants would have you believe otherwise, cybercrime isn't a big issue on Facebook. While the site has 30 million people using it in the UK, very few people ever encounter malware or cybercrime [on the site]."
Buying and selling malware, identities and card details is widespread on the dark web, but this appears to be one of the most brazen cases to date.
The Facebook group was completely public, meaning anyone – including those without a Facebook account – could access the sites it links to and the discussions taking place on its homepage.
"We've never seen this before", said Limor Kessem, RSA's Technical Lead on Knowledge Delivery. "It's very odd to see something like this sold openly via Facebook."
The botnet being advertised appeared to be a customised tool programmed to work with Zeus, a commercial banking Trojan that steals personal credentials through logging keystrokes and form entries, and was first discovered in 2007.
"The individual [behind the Facebook group] is probably a mid-level developer. He's taken version one of Zeus, compiled it and created his own skin for the control panel. Even though this version is fairly old, we're still seeing it used", said Kessem.
"Although he is not selling the botnet directly from Facebook, he is providing detailed information about its functionality and links to a free demo. We know from our broader intelligence gathering that he is selling it from the domain he links to on the group."
In one post on the group, a member asks the group's curator to send him a private message, and then proceeds to post six stolen identities, apparently examples of credit cards he has unsuccessfully tried to use.
"From the looks of it, he may have bought them from the individual running the group on Facebook, because the post looks like a complaint about cards bring invalid. The guy who bought the compromised cards further admitted to using them – this is fraud right there in the open", said Kessem.
With the cybercrime economy booming, more and more non-experts are being drawn in, giving rise to the fraud-as-a-service market.
Rather than compile their own code or fork out large sums of money for a complete malware "package", many aspiring cybercriminals are purchasing individual components, such as the botnet advertised in this case.
The dark web is dotted with clandestine equivalents of the shopping websites and message boards commonplace on the mainstream internet, with credit card details offered in bulk and malware packages available for purchase from well designed sites complete with customer testimonies.
This case is just the latest sign that online fraudsters see themselves as untraceable. The challenge facing judicial and law enforcement authorities across the world is that of ensuring that would-be criminals understand that cybercrime can be investigated, proven and punished in much the same way as physical crime.
guardian.co.uk © Guardian News and Media Limited 2010
image: © West McGowan