A

Hey, everyone, and welcome along to Seriously Risky Biz. This is our podcast here, all about cybersecurity policy and intelligence. My name's Amber Lee Jack, and in just a moment, I'll bring in our policy and intelligence editor, Tom Uran, to chat all about this week's Seriously Risky Business newsletter, which you can of course read and subscribe to over at our website, Risky Biz. But first, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work here and also Lawfare, who syndicate his new and publish it on the Law Firm Media website. And finally, this week's episode is sponsored by Prowler. So big thank you to them for that. Now, Tom, I want to jump straight into your first story in the newsletter today, because this one blew my mind. Meta, it appears, is making big bank from scam and fraud ads. And now a Reuters investigation has uncovered this, and it looks like that they had their hands on a collection of some pretty damning documents. But what stood out to you the most here, Tom?

B

I think it was just that there were so many striking things in there. It was like the sheer amount of money so they're talking about. So the prediction for 2024, Meta's own prediction was that it was going to be $16 billion, but it was also that there were all sorts of, like, financial incentives that encourage management to basically turn a blind eye.

A

Yeah, right.

B

Meta has its own narrative about what it's doing to counter scams. But I thought it was striking that, for example, one of the ways they try and deter scam advertising is they, as per usual, have automated systems that try to categorize ads into scams and they have to be 95% certain before they'll deny an advertiser. And I think there's a legitimate conversation about where do you set that bar? Right. And you're never going to eliminate it totally. The first thought is 95% just seems very high.

A

Yeah.

B

Given that, you know that there is a lot of scams going around. So other parts of the document say that Meta thinks that it's doing worse than some other companies, comparable companies, in terms of blocking scams ads. They talk about how they're. They're making billions and billions of dollars, and that's likely greater than any fine that we're going to get. And so if you.

A

That's what astounded me when I was reading this was the sheer amount for a start. I think the. What was it that the high legal risk ads was something like 7 billion a year and basically turning around and going. But it's going to. You know, anyone that sues us is going to be way less than that.

B

So. Yeah, that's right. So I thought that was interesting as well, in that they have a category for higher legal risk, which is basically if you're impersonating someone, a brand or a celebrity, someone who's got the monetary clout to be able to sue us. So there's an Australian angle here in that. In a different piece, there was a Wired piece which talks about the Australian billionaire Andrew Forrest is suing Meta because he's been used in a whole lot of scam advertising his likeness, I guess. And apparently in Discovery, Meta admitted that they'd run 230,000 ads featuring Andrew Forrest's likeness. So it seems like they're a machine learning company. If you learn that there's maybe after the first 10 or 20,000 ads that are impersonating someone like Andrew Forrest or Elon Musk, you could do something cleverer and try and tamp down on that. Now, one of the things they do to try and tamp down on scam advertising is just charge them more. And so that rates for ads they think are suspicious are higher seems okay at face value.

A

Well, tell us more, Tom.

B

On one level, it makes perfect sense, right? But on another level, it's like we're going to make more money out of these scammers. And so it has this perverse incentive internally of actually making it more profitable to run scams. And interestingly, the documents say that if you're shown a scam ad and you interact with it, you're more likely to be shown more scam ads, because that's the way, you know, that's the way algorithms work. Yeah, algorithms work. So it all just leaves a very sort of yucky feeling. So the Reuters report, I thought, was just fascinating. It feels to me like, have you ever seen the Insider? It's that Russell Crowe film where he plays an insider from the tobacco industry who goes public. And it feels whoever gave these documents to Reuters feels a bit like that.

A

Can we just give a massive hat tip, by the way, to whoever did give these documents to Reuters? Because job well done.

B

I think the problem is that it's just not doing enough. Like, we're not expecting Meta to eliminate scam advertising. That's impossible, clearly. But they, for example, had a limit on how much you can do. There's a team responsible for trying to tamp it down, and their limit was something like, you cannot cost us more than $135 million in revenue out of a $16 billion problem. So I don't think it's realistic to eliminate all $16 billion. Right, but you know, going some way, like eliminating 0.1% of the problem doesn't seem like you're doing enough.

A

No, no, not quite. And I mean, we're laughing at the ridiculousness of this, but I, you know, as I was mentioning to you when we were, when we were writing this story, when I was working in a newsroom, I used to talk to some of these people for stories that had been impersonated in these ads. And it was heartbreaking. I mean the, you know, every single one of them was saying to me, I've had people messaging me saying your face told me to buy whatever product. And it's, it feels like there should be a lot more than $135 million loss on the line to be able to counter these.

B

Yeah, so one, the same week there was a story in Wired where two ex meta employees were basically launching, I think it was a non profit anyway, they were launching an initiative to try and get more done against scam advertising. They didn't have any stories about, you know, metas doing terribly or anything like that, but they said that they suggested that the profits from scam advertisements be like relinquished, given up to fund nonprofits that would maybe counter fraud, for example. And that struck me as a totally sensible idea. Like, I think if like companies are out to make money, obviously that's their point. And if the only metric you give them is money, then, well, they'll optimize where they think they can. And so if you just remove that, it gives them an incentive just to, well, let's just, you know, strike a better balance than what appears to be struck right now.

A

Yeah, yeah, I want to jump into your second piece and have a bit of a chat about this as well, Tom. State backed adversaries seem to be, you're saying here, holding back a little bit, I guess, on the destruction when it comes to supply chain attacks. And you've mentioned F5 and Sonic War here and even the Solarwinds Hack back in 2020. How are these more restrained than perhaps they could be?

B

Yeah, so I was thinking about SolarWinds in contrast in particular to the F5 attack recently. So in the Solarwinds attack, which was back in 2020, Russian SVR. So foreign intelligence hackers got into the company, they got into the build system for a product called Orion, and then they very cleverly subverted it so that in the course of normal updates. It pushed out malware. And that malware went to something like 18,000 different customers. But they only did follow on operations on about 100 of them. So they picked out the targets. Now, the F5 hack. Just recently it seems like a Chinese group by some reports got into the build system for its main product, which is called the Big ip. It's a load balancer. So they're basically in exactly the same position as the SolarWinds hacker, but they didn't pull the trigger on doing a sort of subversion supply chain type attack. They just seem to have stolen source code and a whole lot of vulnerabilities that F5 appear to have been sitting on. And they patched immediately. They released patches immediately after they announced that the hackers had been in their systems. What made me wonder about this is that since SolarWinds there have been a number of attacks from Chinese hackers where they've just gone big. So there was the Exchange hack where they were quietly exploiting Exchange servers with a zero day and then when they were discovered, there was like a free fall, a mass exploitation like Frenzy. And then there was the recent SharePoint one which we spoke about a couple of months ago, same deal. Like they're exploiting it quietly and then they're going big when they get discovered. And so I was wondering if that same dynamic applies if you're in the supply chain, if you're in something like F5, would you push out malware to everywhere? And then instead of like in SolarWinds just exploiting 100 out of 18,000, would you do the 18,000 out of 18,000? It seems so far, not yet. And I mean the F5 attack, they didn't even go that far. So to me this is a story about changing norms of behavior and what can we can expect now. I think if it was Russian hackers in 2020, SolarWinds, clearly they were discriminating and careful. And even though the it was a big deal, I think it was quite targeted and responsible. Is the same thing going to happen forever? I don't know. I think norms have changed since then.

A

Do you have a theory as to, you know, when it comes to F5 and Sonic Wall? Do you have any kind of theory as to why we didn't get that big widespread? Was it just things? You don't think things aligned quite right or. I don't know.

B

Picking the F5 example in particular, the reporting kind of links the group with a couple of steps to Salt Typhoon. Now Salt Typhoon is a group that typically Compromises things like routers. And so they're used to working their way through network equipment, which is what the F5's big IP is. So it makes sense that they don't branch out and do a supply chain attack that's kind of outside of their normal modus operandi. So maybe it's as simple as that. That's just not what we're used to doing. And so if it is Salt Typhoon, they appear to be a group of contractors. They have the resources that they have. Contrast that to SolarWinds, where it was directly backed by the SVR. And so if you're a state and you get that access and you want to do something that's a bit difficult and new, you figure it out because you've got the resources of a state. And so maybe it's something as simple as that. Maybe it's that they just didn't have time. It appears that they spent a whole year on F5's network doing nothing. And so maybe, you know, they just didn't have the time to work up an attack in the time that they were working. I don't know. I'm not sure. I think there's also, for things like Exchange and SharePoint, there was also gold immediately at the end of exploitation. Right? So you can get documents that you can steal immediately, and if you then get kicked out, it's, well, I got something for that, maybe that's okay. It's not immediately clear to me that exploiting something like the F5 big IP would get you anything except more access, that you'd have to do more work.

A

And I mean, this isn't to say that, you know, using your examples, F5 and Sonic Wall aren't bad, it's just that they could be much, much worse. So that's good news.

B

Things are bad, but not as bad as they could be.

A

And I kind of read this one as some good news as well. So I want to just really quickly touch on it with you. The UK is not sharing intelligence with the US about suspected drug trafficking boats in the Caribbean. So do you want to quickly just sort of run me through this one?

B

Yeah. So the background, if people haven't heard, is that the US military has been launching deadly strikes against boats in the Caribbean. They claim that those boats are drug smuggling boats and that it's okay to just kill the people on board because drug smuggling is an imminent threat to the US and they're effectively enemy combatants. That is, in my view, not a particularly strong argument. And there's many people who think that those strikes are illegal because you just can't go around killing people, especially when they're criminals, without due process. And so that appears to be the concern of UK officials that these strikes are illegal. They have at times provided intelligence to the US about drug smuggling. Apparently they have overseas territories in the Caribbean and have some intelligence assets there. So they've basically the reporting is at least that they've stopped sharing intelligence for the last month or so because they don't want to be complicit in those strikes when they believe they're illegal.

A

Yeah, yeah. That's not an entirely risk free move either. There could be some fallback from that.

B

Yeah, yeah. So historically there have been occasionally been times where intelligence sharing has been cut off amongst the five eyes. Usually it's some slice. So New Zealand was actually cut out of particular types of intelligence for a very long time because you didn't allow, I think it was some sort of warship, maybe it was a nuclear powered warship into, I don't know, some harbor like 20, 30 years ago. And so for, I think quite a long, many years, the New Zealand was cut out of imagery intelligence is my recollection. And so that that kind of thing does go on. And usually it's not all intelligence sharing, but it is like, you know, you don't get this or you don't get that. So there is always the potential that someone in the Trump administration will take offense at this, especially now it's been reported and there'll be some sort of punitive response. So I think it is a, it's a meaningful step, especially considering that the UK's intelligence assets in the Caribbean are, they're not exactly, you know, meaningless. But the US has far more assets in the area. Like the, the far majority of the intelligence it's getting is from its own sensors and platforms because, I mean, it's right next door, basically. I wouldn't call it exactly a token contribution, but the UK is putting, is risking that relationship for a relatively small amount of intelligence that it gives up.

A

I don't know, maybe it's, maybe it's more meaningful if you're not necessarily going to make a massive contribution, but quite definitely making a stand.

B

Yeah, yeah, I think that's right. It's not exactly symbolic, but it's making a stand on principle, which, which I think it's good to see.

A

Yeah. All right, Tom, we might actually leave it there, but thank you so much for joining me today. And of course you can read Tom's full analysis on the seriously risky business newsletter. You can find that up on our website. Risky Biz. But, Tom, have a great week and I will catch you same time again next week.

B

Thanks, Everleigh. Sam.