Reuters Blows Lid on Meta's Fraud Profit Scandal

Reuters Blows Lid on Meta's Fraud Profit Scandal

In an eye-popping investigation, Reuters has revealed that Meta had projected its 2024 advertisements for scams and banned goods would bring in about $16 billion, or 10 percent of its total revenue.

The report is based on a cache of documents reviewed by Reuters.

In one of those documents, Meta's safety staff estimated that the company's platforms were "involved" in a third of all successful scams in the U.S. That's a stunning figure. But we do wonder how much of that involvement is simply WhatsApp being used to talk to victims. If advertisements weren't the bait that lured victims, it hardly seems fair to blame Meta for running an end-to-end encrypted messaging app.

The company doesn't get such an easy pass elsewhere, though. Other documents revealed that Meta bans advertisers only if its automated systems are 95 percent certain that an account is committing fraud. If the account doesn't meet that threshold, but Meta still believes it is likely a scammer, the company instead charges higher advertisement rates as a "penalty." According to Reuters, the idea here is to discourage suspicious advertisers from buying ads. But in our view it's just as likely to encourage Meta to accept high-risk ads as it is to prevent scammers from placing them. It's a two-sided incentive. A scammer's penalty is Meta's profit, after all.

The documents suggest that Meta's management weighed the financial windfall from scam ads against the costs of regulatory action. The company raked in $3.5 billion every six months from ads determined by the legal team to have "higher legal risk," such as impersonating a brand or celebrity. The document notes that the revenue would almost certainly exceed the cost of "any regulatory settlement involving scam ads."

One document from February 2025 detailed exactly how much revenue Meta was willing to forgo to clamp down on suspicious advertisers: 0.15 percent of total revenue or $135 million. Our napkin math suggests that if you are willing to forgo only $135 million to tackle a $16 billion problem … you still have a $16 billion problem.

Scams are a huge issue, and our cynical view is that (much like the cybersecurity field) companies typically respond only when political pressure or government action forces their hands. Former Meta employee Rob Leathern suggested to Wired that the platforms should be forced to relinquish any money earned by scam ads. This could be used to fund anti-scam nonprofits, for example, and would remove the incentive for Meta to ignore the problem.

We can get behind that.

For Now, Supply Chain Attackers Are Eschewing Total Mayhem

For whatever reason, state-backed adversaries are showing at least some restraint when it comes to their supply chain attacks.

Last week, network security firm SonicWall announced that state-backed hackers were responsible for a September breach of the MySonicWall cloud backup service. In that incident the hackers stole all firewall configuration files that had been backed up to the service.

The firewall backup files were designed to completely restore a device or its replacement, and they included a snapshot of the full configuration including credentials and other secrets. According to SonicWall, those credentials and secrets were "individually encrypted," but it is not clear how the encryption keys were stored or derived.

The company has reassured its customers that the breach did not impact its products and that "no other SonicWall systems or tools, source code, or customer networks were disrupted or compromised." That's not entirely reassuring. The attack was clearly not targeted at SonicWall per se but was, instead, an attempt to access its customers.

Even configuration information without cleartext secrets could be used to inform attacks on SonicWall customers. Of course, attacking vendors to get to customers is not a new phenomena.

Back in mid-October, the networking and security firm F5 disclosed an even more worrying attack. The company said it had been the victim of a "highly sophisticated nation-state threat actor" that gained "long-term persistent access to certain F5 systems." The systems accessed included the development environment for F5's main product, the BIG-IP load balancer, as well as the company's engineering knowledge management platform.

The attackers first broke into F5 in late 2023 and weren't discovered until August this year. F5 claims to be "trusted by 85% of the Fortune 500." When the breach was disclosed, the Cybersecurity and Infrastructure Security Agency released an emergency directive for federal agencies to find and patch vulnerable devices.

The day it disclosed the attack, F5 released a whole bunch of patches for vulnerabilities believed to have been stolen. In addition to the vulnerability information, the hackers stole some source code and also configuration or implementation information "for a small percentage of customers." (Risky Bulletin has a good wrap of the whole incident.)

Sources told Bloomberg that Chinese state-backed hackers were responsible, and the malware used in the F5 hack is linked to the group known as Salt Typhoon. Despite the length of time the hackers were in F5 systems and the vulnerability information they accessed, the impact of the hack, to date, is surprisingly limited.

By contrast, other Chinese-backed campaigns discreetly taking advantage of undisclosed vulnerabilities have regularly ramped up into mass exploitation once the activity is detected. See, for example, this year’s mass exploitation of SharePoint vulnerabilities and the Exchange free-for-all in 2021.

This F5 intrusion reminds us of the 2020 SolarWinds hack. In that incident, the threat actors gained access to the build system of SolarWind's Orion software. Rather than just stealing source code and vulnerabilities, however, the build system was subverted to push malware out to customers in a software update.

Around 18,000 customers received the malware, but subsequent hacking was carried out on only about 100 of them. This breach was a huge deal politically at the time but in truth was targeted and responsible, especially in contrast to mass hacking events that have occurred since.

In F5's case, the hackers had all the pieces in place to carry out a SolarWinds-style attack by subverting BIG-IP's build, but they don't appear to have pulled the trigger.

State-backed hackers have an enduring interest in enterprise vendors whose products could be compromised to provide access to target networks. For whatever reason, adversaries seem to show some restraint in these cases, unlike the Chinese when they get their hands on some juicy Exchange zero-day and go ham.

We're not saying these supply chain attacks aren't bad and damaging. They are. But as we'll always cheerily tell you here at Risky Business Media: It could always be worse!

U.K. Suspends Drug Boat Intel Sharing

Britain's spy agencies and its military have stopped sharing intelligence with the U.S. about suspected drug trafficking vessels in the Caribbean, according to a new CNN report.

To date, 76 people have been killed in 19 U.S. strikes against what the White House alleged were drug-smuggling boats. Sources told CNN that British officials believe the strikes are illegal and the U.K. does not want to be complicit in them. The U.K. has a number of intelligence assets in its Caribbean territories. It suspended intelligence sharing about a month ago.

A source told the Times that this intelligence could come from Government Communications Headquarters and includes the location of drug-smuggling vessels and the numbers of people onboard.

The decision could result in the U.K. being cut off from U.S. intelligence in response, so it is not a risk-free move. This is a reminder that secretive intelligence agencies can be responsible moral actors, despite their frequent portrayal in Hollywood movies as utilitarian and amoral.

Russian Wipers Hit Ukraine's Grain

The Russian hacking group Sandworm has been launching wiper attacks against Ukraine's grain sector, according to Slovak cybersecurity firm ESET.

ESET speculates the attacks are designed to weaken Ukraine's wartime economy as grain is a major export for the country. Its report doesn't describe how the wipers are affecting the grain sector, so it is unclear if these are clever attacks that achieve what would otherwise be impossible with drones, missiles, or other conventional munitions. That would be interesting.

It is worth noting, however, that the impact of the war on Ukraine's agricultural production is already huge. In April the English-language Ukrainian outlet United24 Media reported that up to 25 percent of the country's agricultural land is off limits because it is either unsafe due to landmines or too close to combat zones. Russia has also used conventional weapons to disrupt exports by targeting grain storage facilities, ports, and even vessels. 

Three Reasons to Be Cheerful This Week:

1. U.K. to stop spoofed phone numbers: Mobile carriers and the U.K. government have agreed to a raft of measures that will make it harder for scammers to operate on U.K. mobile networks.  These will "eliminate" the ability for foreign call centers to spoof U.K. numbers and also allow police to track down scammers operating within the country.
2. KK Park scam center being demolished: The Myanmar military junta is dynamiting the notorious scam compound, and it is good to see further action after a raid on the compound last month. It appears international pressure is having an impact, although some observers believe the demolition is just a public relations ploy by the junta.
3. U.S. cybersecurity threat sharing bill to be extended: A short-term renewal of the Cybersecurity Information Sharing Act, which expired at the end of September, is included as part of the deal to reopen the U.S. federal government. The good news isn't so much the extension, which runs only until Jan. 30, but that some lawmakers care enough about cybersecurity to include the renewal in negotiations to end the shutdown.

Shorts

NSO Group Cozies Up to Trump Administration

The former ambassador to Israel during President Trump's first administration, David Friedman, has been appointed executive chairman of NSO Group.

In the abstract, this is a positive move as it indicates that the spyware company is keen to stay in the U.S. government's good graces. This would be reassuring … in a normal administration.

Ransomware Still Has Huge Impact

In the U.K., the Bank of England has confirmed the ransomware attack on Jaguar Land Rover affected the U.K.'s gross domestic product growth for the quarter. The attack disrupted car production but also affected thousands of companies in Jaguar's supply chain.

In Japan, the beer brewer Asahi is still operating at about 10 percent capacity more than a month after a ransomware attack.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq discuss how cyber criminals and even state actors are being dumb about using AI.

From Risky Bulletin:

Another Chinese security firm has its data leaked: More than 12,000 internal documents were leaked online from Chinese security firm KnownSec.

The files were uploaded last week on GitHub by an unknown individual and later removed before the repo got any widespread circulation.

According to analyses from Mrxn and NetAskari, who got their hands on the leak, the most recent documents are from 2023. This suggests this was likely when the files were stolen/exfiltrated from the company's network, or at least someone intentionally truncated the leak to keep the most recent files for themselves.

[more on Risky Bulletin]

Yanluowang ransomware IAB pleads guilty: A Russian man has pleaded guilty to hacking U.S. companies and selling access to ransomware groups.

Aleksei Olegovich Volkov went online under the hacker name of chubaka<dot>kor and worked as an initial access broker for the Yanluowang ransomware.

Volkov used various techniques to breach a corporate employee's account, escalate access to the employer's network, and then sold that access to other cybercriminals.

According to court documents, between July 2021 and November 2022, Volkov regularly sold access to individuals who later deployed the Yanluowang ransomware.

[more on Risky Bulletin]

Europol arrests payment service executives for role in credit card fraud ring: Law enforcement agencies from Europe, Asia, and North America have dismantled a massive credit card fraud network that stole money from users using unwanted online subscriptions.

Eighteen suspects were arrested for defrauding users of more than 300 million euros since 2016.

According to Europol and Eurojust, the group stole credit card data, created accounts on online websites with the stolen information, and subscribed users to premium services.

[more on Risky Bulletin]