back to top
Tech

Shady Marketplaces Selling Fake Facebook Profiles Operate In Plain Sight

Thirty minutes and a little bitcoin can buy you an army of believable Facebook users.

Posted on

Audrey Mitchell is a 23-year-old New York City transplant from London. She’s an aspiring model working at KFC. According to her profile on Facebook, where she has 921 friends, she likes the New York Knicks, the movie Me and Earl and the Dying Girl, and the St. Paul, Minnesota-based hip-hop duo Eyedea & Abilities. She's currently single, but her Facebook Messenger inbox is full of unknown men sending her stickers, emojis, flirty messages, and dick pics. She loves cupcakes. Also: She doesn’t really exist.

I know this for certain because it took me just a few clicks and one painless $13 bitcoin transaction on a Russian website to buy Audrey Mitchell and her believably constructed digital footprint. After the transaction, an emailed link offered up a downloadable file containing the unique phone number Audrey’s account was registered under, a password, and a registered birthdate — all the necessary credentials to gain access to the account.

Within 30 minutes I was behind the wheel of Audrey's page, liking pictures, posting status updates, and warding off creepy messages. There was little to suggest that the page was inauthentic — or that its operator was a 30-year-old journalist in Montana.

Across Facebook there are countless others just like Audrey — dummy accounts with partially written backstories, a small posting history, and a photo gallery of real people taking real selfies. They trade hands in a vast web of fake-account marketplaces, where, for a small sum, any interested marketer, scammer, or troll can amass a legion of seemingly human profiles capable of outwitting Facebook’s detection.

Testifying before Congress in April in the aftermath of the Facebook election scandal, CEO Mark Zuckerberg told legislators “you’re not allowed to have a fake account on Facebook." And yet these fake profile marketplaces continue to thrive in plain sight online.

“There must be millions [of accounts for sale],” one Facebook account seller based in Europe speculated to BuzzFeed News regarding the size of the fake accounts market. “I go to these big marketplaces and see they have several thousand [profiles] in stock at all times. I couldn’t say if it was tens of millions or hundreds of millions but Facebook deletes some and people keep making them. Always.” Similarly, when asked how many fake accounts I could purchase from them at one time, the seller told me, "I could send 5,000 accounts right away."

Facebook told BuzzFeed News that fake accounts represented approximately 3% to 4% of its 2.19 billion monthly active users during the fourth quarter of 2017 and first quarter of 2018, though the company suggests that the accounts sold in these types of marketplaces represent only a small number of the fake accounts that Facebook monitors.

The company is constantly battling phony accounts. On Tuesday, Facebook announced in a transparency report that it disabled 583 million fake accounts and millions of posts that included sex, spam, and hate speech in just the first three months of 2018. And yet Facebook account marketplaces manage to operate in plain sight: A Google search for “PVA [phone-verified accounts] Facebook” returns dozens of websites selling accounts that are registered with unique phone numbers and are therefore recognized by the social network as more likely to be legitimate accounts. These marketplaces exist in direct violation of Facebook’s terms of service and brazenly offer step-by-step guides for bypassing the company’s detection while using bogus profiles.

While one account seller told BuzzFeed News they had “almost never seen a market for stolen accounts,” it appears the marketplaces have incentivized hackers to try to steal Facebook accounts from real people. In one instance documented by Erin Gallagher, an independent data journalist, an Egyptian hacker broke into the Facebook account of a dead man in order to steal and sell the profile to a marketplace. “In each account you get 20 pounds / person who buys them because they want old accounts,” the hacker told Gallagher.

Facebook said it is aware of these bogus account marketplaces, which the company notes are not unique to the platform. (Plenty of Twitter, Instagram, and email accounts are also available for purchase.) “We actively review online marketplaces to help disrupt scammers who try to sell fake accounts. Our machine learning systems help block millions of attempts to create fake accounts each day, and we catch many more once someone tries to use them,” Bill Slattery, Facebook’s head of e-crime investigations, said in a statement. Slattery also suggested that the fake accounts marketplaces may be inflating numbers or, in some cases, selling bogus information. “Just because an account looks available for sale doesn’t mean it’s actually valid or that it can be used successfully without getting caught. We also work with law enforcement when appropriate.” All nine phone-verified accounts I purchased from two separate marketplaces while researching this piece worked and successfully avoided detection from Facebook while posting.

The most basic of the fake profiles available for sale are “softreg” accounts, which are recently auto-registered using software programs and have few friends. These appear to be purchased in bulk — in April, one Russian site was selling as many as 2,100 softreg accounts for 5 cents each. There are “boosted” accounts, which are either manually registered or created using a softreg program and populated with friends comprising a mix of bots and mutual followback agreements. And finally, there are “aged accounts,” which claim to have been activated between four and 10 years ago. Across the marketplaces, aged accounts are considerably more expensive (running anywhere from $5 to $150 per account) as they’re much less likely to be flagged by Facebook’s account-monitoring software.

A Russian site called AccsMarket offers interested buyers the opportunity to purchase accounts registered as early as 2004 (the year Facebook launched) with 5,000 allegedly real, non-bot friends for $150 apiece. When BuzzFeed News inquired to see if an account was preregistered and left dormant or acquired from a real person, the company said only that the account was “abandoned.”

In some cases, it is unclear where a fake account ends and a real identity begins. In January, I bought five profiles — including five sets of unique profile and photo album pictures, as well as Google Voice phone numbers to authenticate the accounts and provide them with believable identities — using an aged-account marketplace. In each case, the photos provided were original images of real people. A reverse image search for one of Audrey’s profile photos revealed that it appeared to belong to a Russian model named Yuliya Yanchenko, who did not return a message asking for comment.

A Facebook profile seller told BuzzFeed News they typically purchase pictures from a group in India that harvests photos from places like the Russian social networking site VK, which is not indexed by Google and therefore less likely to show up in a reverse image search. The seller told BuzzFeed News that they prefer to buy photos of attractive women. “If you post pics of a sexy girl and send friend requests to Indian men, Arab speakers, or South American men, they will accept quick and then all their friends will request you,” the seller said. “In a few days you will have thousands of friend requests.”

For most buyers, what really matters is that the fake accounts are believably real to the untrained eye and don’t trigger Facebook’s spam protections. To make sure of the latter, many of the aged-account purchasing websites offer explicit instructions to “warm up” the accounts and make them appear authentic. The website for AccsMarket tells users they “must first perform some common actions that a normal person would do after registering. Example: fill out the page, subscribe to several people, put a few likes, fill out the page, fill in some photos, make a few reposts, comments, etc.” The accounts seller noted that one successful way to warm up a profile is to engage in political debate. “I’d make the account pretend to be in favor of Catalonian independence and as soon as you post anything about Catalonia and independence you get dozens of friend requests from indepentists,” the seller said. “All them are VERY active and ONLY interested in posting and sharing this kind of political extremism.”

Other sites offer other precautions like VPNs, which mask IP addresses and manage multiple account logins from different devices. Some sites even suggest using software like RF_SCreater, a program that can generate a fake scanned copy of a Russian passport with the name, date of birth, country, and city of one’s choosing in order to dupe Facebook when it locks an account and demands further authentication.

But while the accounts markets appear to be quite active, sellers are frustrated that Facebook has made verification of sock puppet accounts much more difficult. “Facebook is now blocking this pretty well,” the seller said. “As soon as you post one external link, you are locked or your post is hidden until you get a very highly trusted account, and to do that you need warm it a lot.” The seller noted that of the 500 most recent accounts they’d sold, it appeared that 292 are still active.

According to the accounts seller, “90 to 95% of buyers are marketers” who flood the social network with links embedded inside status updates, group postings, and private Facebook messages. “And then,” the seller continued, “there are the low-rate buyers — people looking for personal accounts because theirs were disabled, or looking for an alternative account for playing or trolling. Some girl bought an account [from me] to spy on her boyfriend.” In one instance, the account seller said that they had to report a potential buyer from Uruguay to authorities after it became clear the user was trying to purchase Facebook accounts to pose as a teenager and potentially begin conversations with young girls.

According to Renee DiResta, a computational propaganda researcher for the organization Data for Democracy, foreign state actors can also use fake accounts for political gain (though Facebook suggested the bulk are used for spam). Fake aged accounts, for example, could provide a necessary cover for trolls looking to start groups to gin up political discord. And as Facebook cracks down on politically charged ads (a Facebook spokesperson said that advertisers will be prohibited from running political and issue ads until they complete a thorough authorization process) DiResta noted that the fake profiles complicate the company’s job of securing its platform from outside influence. “Facebook has become more sophisticated at detection because the majority of people who buy fake accounts, traditionally, have been spammers who behave a certain way. But if it’s a state actor buying accounts, they’d have more sophistication and could potentially evade the checks that catch the spammer profile.”

Managing fake Audrey’s account was exhausting. Each time I logged in to her page I was besieged with a deluge of friend requests; leaving her page open in my browser led to a flurry of spammy Facebook messages, up to 68 in under an hour.

Life in Audrey’s Facebook world was eerie. On the surface, her page and feed had many of the trappings of a very normal online life, but any attempt to probe it further revealed it to be a hall of mirrors protecting a legion of scammers, sock puppets, and horny men desperate to chat. My feed was full of posts in broken English followed by suspicious links that inevitably turned out to be spam; when I sent a series of messages to Audrey’s connections, trying to understand how they’d ended up as friends, most of those who responded replied with a spammy link to a dating site or a request to join a group or to “check out my friend’s page!” Only a few responded in a way that appeared to be genuinely human; in one case a concerned parent of one of Audrey’s friends issued a stern warning: “Andrew is a juvenile and you need to delete this contact,” they replied.

"We gauge legitimacy based on things like number of friends or followers an account has, or when it was created."

Spending a few hours in Audrey’s upside-down Facebook world, I began to doubt the legitimacy of even the seemingly real content. On Facebook, it has become increasingly difficult to know for sure where the content we view is really coming from, or what the true motives of those who are posting and sharing are — fake accounts, then, are just another hurdle in the platform’s constant war against misinformation.

Worse yet, the knowledge that fully realized profiles could be anywhere has the ability to slowly erode trust in determining what is real and what is fake. “Online, we don't personally know many of the people we engage with, so we gauge legitimacy based on things like number of friends or followers an account has, or when it was created,” DiResta said, noting that when experts attempt to teach how to detect bots or sock puppets they often ask, “Does the account have friends?”

“As people become more aware that disinformation is a problem, we’ve established a checklist of things to help detect fraud — but established fake accounts bypass many of those checks.” ●

Advertisement

Charlie Warzel is a senior writer for BuzzFeed News and is based in New York. Warzel reports on and writes about the intersection of tech and culture.

Contact Charlie Warzel at charlie.warzel@buzzfeed.com.

Got a confidential tip? Submit it here.