Major technology companies have let their platforms become home to one of the earliest scourges of the internet—credit card based cybercrime.
In the wake of a recent Wired story which found over 70 Facebook groups created to sell stolen credit card information, Zach Allen, director of threat operations at ZeroFOX, a cybersecurity company, ran his own analysis targeting a variety of platforms, including YouTube, Reddit, Medium, and Github.
Allen told Mother Jones that he’d found dozens of instances of internet criminals appearing to be openly selling stolen credit card information on those platforms in just about 15 minutes, and was confident that with more time, he could have found many others. It wasn’t hard: Scammers frequently included common terms indicating fraudulent or stolen card information—like “credit card insider” and “carder”—in their usernames.
While credit card scammers often operate on harder to access parts of the internet, using mainstream platforms can help lower the barriers to entry to capture new business by providing a wider audience of people seeking to buy the numbers. It can even help scammers scam would be credit card scammers by taking money from customers and never actually coming through with credit card information.
Many of the posts Allen found were as recent as the last several months, however, some were posted within the last several years—some on Github appeared to have on the site since 2016 without being noticed.
“This is a large and persistent issue and much broader than just Facebook. Carders are marketing across the full range of ‘social’ platforms,” Allen wrote in a document accompanying his findings.
After being alerted to Allen’s findings by Mother Jones, the tech companies quickly responded, pointing to their existing rules barring the content.
Google immediately deleted most of the flagged examples, saying they violated terms of service. A spokesperson said in a statement that “YouTube has strict policies that prohibit the sale of many illegal or regulated goods, including stolen credit card information. We quickly remove videos violating our policies when flagged by our users.”
Reddit said in a statement that its “site-wide policies prohibit content that shares personal and confidential information, and this is inclusive of credit card information. Communities focused on this content and users who post such content will be banned from the site.”
Allen says the massive size of technology platforms and the vast amounts of information shared on them can make it difficult to address such cybercrime. “It’s easy to criticize, but when you see the swaths of data and scale of the problem they’re dealing with, you can see how difficult it is,” he said.
Still, If Allen was able to find such content with a search tool, ostensibly multibillion-dollar companies would be able to as well.
Cybercrime isn’t a new issue for the platforms, and while they’ve taken steps to curb it, egregious examples have still slipped through the cracks, suggesting that some companies might not have prioritized the issue enough. In August, for example, Motherboard found that Facebook had hosted stolen Social Security numbers and other sensitive, identifying information for years.