from the ivory-back-scratching dept

This is not the only administration to engage in corruption. Most administrations have to some extent. It’s that corruption is the everyday, front-page business of this administration. It’s so brazen, it’s insulting. It demands Americans pretend nothing matters but what Trump wants and, to a lesser extent, whatever his current roster of obliging subservients want.

Even MAGA should be angry. But this political movement is as bereft of intellectual honesty as it is bereft of anything approaching normal human intelligence. It’s millions of people willing to be peasants just because the king has promised to make things even worse for their fellow human beings.

We, the people, end up with daily fuckery, composed and carried out by chinless nepo babies, former Fox commentators and far right podcasters, multiply-disgraced, massively-underqualified members of Trump’s personal legal team, Marco Fucking Rubio, and the homunculus currently doing business as “Stephen Miller.”

Then there’s Kash Patel — a guy who would have been derided as a diversity hire by the MAGA crowd if he hadn’t been given the top spot in the FBI by Donald Trump. Less than 18 months into his tenure, Patel is best known for partying with sports teams, abusing government airplane privileges, spending more time in nightclubs than in his office (ALLEGEDLY), and performing loyalty tests of FBI agents and officials, most often in the form of polygraph tests.

Trump’s slush fund for insurrectionists might be as (nearly!) dead in the water as the Faith No More fish (you know the one…), but Patel has apparently found a way to misuse public funds to reward loyalists willing to ride or die with a man who has managed to (ALLEGEDLY) drink his lack of qualifications under the table.

“We have been receiving troubling reports that you may be using part of the budget of the Federal Bureau of Investigation (FBI) as a personal slush fund to make tens or hundreds of thousands of dollars in unlawful ‘bonus’ payments to loyalist MAGA henchmen who have engaged in misconduct,” says a letter from Rep. Jamie Raskin, D-Md., to Patel, obtained exclusively by MS NOW.

Committee Democrats have information that Patel has issued more than $1 million in awards, the letter says. The letter says the money went to special agents serving on his Director’s Advisory Team, which Raskin’s letter describes as “a curated group of agents who are willing to carry out your unlawful partisan and personal orders.” It also went to agents on Patel’s security detail, “circumventing the mandatory maximum pay caps established by statute,” the letter says.

I’ve got to hand it to Raskin. While some will (dishonestly) object to the tone of this official letter, it’s written in a form MAGA understands: direct accusations, delivered with contempt. Most official letters/queries sent by legislators are a bit more polite and tend to treat accusations as unconfirmed suspicions, even when the accusers have the facts in hand to deliver unqualified accusations.

This letter forgoes those niceties. That makes it much more difficult for the FBI and/or Kash Patel himself to dispute the accusations. When punches aren’t pulled, the administration has to defend itself in kind. Since it far prefers to bully people who aren’t willing to deliver the first blow, it seems unsure of how to handle this:

The FBI did not respond to a request for comment by MS NOW.

The FBI has maintained its silence even after Sen. Raskin made the letter public by publishing it to the Judiciary Committee’s website. And what’s detailed there definitely looks like the actions of a binge drinker — you know, the magical moment in a bar evening when the contents of your wallet suddenly turn into Monopoly money and you don’t realize just how much damage you’ve done to your bank account until the NSF push notifications start rolling in:

In some cases, nearly $8,000 payments have been made to multiple individuals every two-week pay period despite many of the beneficiaries of your selective generosity already maxing out on a federal employee’s salary. While it is unclear at this time exactly how much each of the agents has received, we can confirm that numerous loyalist employees have received at least five such payments in consecutive pay periods, amounting to nearly $40,000 per agent. We can also confirm you have depleted the FBI reserve accounts for bonus payments at such a frenzied rate that some of the payments have bounced back from exhausted accounts.

That’s insane. On one hand, you have the drunk-on-a-spending-spree indicators: a guy who doesn’t know how much money he’s spent or from what account until someone else notifies him of his overdrafts.

On the other hand, you have the ugly reality of the situation: this is what it takes to keep FBI employees “bought.” The payments are large and happen frequently, strongly suggesting loyalty to his MAGA twist on FBI day-to-day operations lasts — at most — up until the next paycheck hits the bank. If you’re buying loyalty two weeks at a time, you’re not a benefactor. You’re a blackmail victim.

Either Kash Patel thinks he can throw money at any problem that can’t be solved with a lie detector test and a swift dismissal or agents have figured out they can make bank by pretending to be on board with whatever vengeful kick the director happens to be on that particular week. And I’ll be honest: I prefer a yes man who’s in it for personal profit to a yes man that’s in it because toadying is the only life-hack they know.

Whatever the equation, it all comes down to Patel being an absolute chump. Every negative headline increases the chance of him being tossed aside by the man whose boots he’s been licking for most of the last decade. And I can bet that most of these people walking away with inflated paychecks can easily see the buttons they need to push to ensure they get their loyalty bonuses, week in and week out.

Filed Under: corruption, day drinking, fbi, jamie raskin, kash patel, maga, slush fund, trump administration

Effective fraud prevention programs call for monitoring across every customer touchpoint from account creation to checkout, login to customer service interactions. Once established, this practice provides ground-level insights on user engagement on an interaction-by-interaction basis.

While this is a necessary layer of visibility, appropriate collation of various data sets provides the context for the identification of advanced fraud methods and early detection of emerging trends.

Below, we provide one fraud case with examples of relevant data visibility across 4 levels necessary for establishing a competitive fraud program in this constantly evolving world. 

Transaction Level: The individual interactions of users monitored and decisioned in siloes. 

Commonly, a fraud program will begin with pressure from chargebacks inciting action for monitoring transaction performance at the checkout page.

Fraudsters are persistent. When one door closes, they move to the window, the garage, and so on; Payment fraud attacks shift into Account Takeovers, deposits into transfers, Account Takeovers upstream to identity theft / synthetic ID Fraud and Mule Accounts. 

The shift happens in seconds and impacts our organizations in many ways. 

In response, practitioners deploy checks at each touchpoint. This is effective for many isolated fraud incidents but can result in increased false positives and false negatives. 

Account Level: The performance of the account over time. 

Device Intelligence, spending behaviors, geolocation, behavioral biometrics, step-up verification interactions, all help to identify evidence of account-level exploits like Account Takeovers (ATOs). 

The benefit of tracking this level of performance becomes especially clear when contrasting fraudster behavior against the historical performance of the account. Fraudsters cannot duplicate what has been defined as ‘trusted’ behavior and still get what they are after. 

They will seek to change payment information, bypass automated verifications, satisfy verifications after what can be deemed “a suspicious number of attempts”, associate new addresses / geographies, and more. 

When monitored appropriately, fraudster behaviors emerge clearly and afford practitioners increased confidence and accuracy.  

Platform Level: The performance of grouped accounts on a single platform. 

By successfully tracking performance of both ‘trusted’ and ‘confirmed fraud’ account performance, practitioners leverage these deeper insights resulting in less friction for trusted interactions, increasing customer satisfaction, and decreasing false positive rates. 

Additionally, fraud rings and multi-account attacks are quickly identified based on geolocation, device intelligence, IP resolution, and more, decreasing the time that multi-account exploits are active on the platform. 

Network Level: Partnerships with providers in the space, delivering data enrichment and decisioning based on insight across their network.  

Until this point, we have spoken about the rich data available to practitioners operating in isolation. By partnering with a solution provider, your fraud program leverages the performance of all of the other practitioners.

“First seen to you is not first seen to us.” 

Example Fraud Case: A fraudster is adamant about attacking a particular platform with stored value. For this example, we’ll use a bank. The fraudster is armed with typical information; payment information, Identity Information, and system knowledge. The majority of fraudsters have this access and deploy new methods at a moment’s notice. 

For this exercise, we will use a common fraud method wherein the fraudster sees that the target identity banks with ‘Bank X’. The fraudster accesses the account to do 3 things; Transfer funds into the account from other compromised funding accounts, request a card for an ‘Authorized User’ (the fraudster), transfer funds to a 3rd compromised account off-platform.

Transaction Level: Logging into the account is performed by contacting customer service; historically underserved, heavily reliant on knowledge-based verifications (KBVs). The fraudster is equipped with bureau information and is prepared to satisfy the verification process. 

The fraudster resets access information and orders an authorized card for a new authorized user for the account. Too rarely does this process receive the appropriate level of scrutiny. 

The fraudster reviews the spending behaviors of the account and mimics the dollar amounts for transfers into the account and withdraws from the account. Following the historic behavior seen in the transaction summaries, the fraudster follows the same behaviors.

From the transaction level, the fraudster is flying under the radar and triggers siloed verifications that they are prepared to satisfy. The clock ticks until the real account holder contacts customer service and files a report. The problem that started with customer service is finally identified at customer service. 

From an Account Perspective, this fraudster has exhibited many suspicious behaviors: 

1. Calling customer service from a new phone number 

2. Updating contact information

3. The time to ordering a secondary card

4. The relationship to the authorized user and the account holder

Advertisement

5. The timeline of transfers and withdrawals 

6. The device used to interact with the platform and initiate these suspicious actions 

Any of these interactions can be monitored and tracked with associated verifications. Again, reinforcing the idea of accuracy is a key point, when viewing the storyline from this altitude, confidence should be high. 

From a Platform Perspective, it is unlikely that this storyline was the first of its kind. By tracking these events with automation, practitioners will identify the other occurrences and pick out regions, IPs, devices, and behaviors that transcend the performance of the single account. This, in turn, informs the decisioning downstream. 

This entire process takes a matter of hours to execute. As we know, fraudsters are not operating against one account at a time. It is likely that many other accounts are currently walking through this same scenario. Time to action is vital to avoid deep financial impact. 

Indicators include: 

1. The shipping address for the “authorized card / user”. 

2. Device Fingerprinting 

3. Geolocation of the user 

Advertisement

4. Geolocation of the withdrawals 

5. Dollar amounts (though crafty fraudsters follow the behaviors of the accounts, many will gradually increase amounts over time, which is a valuable indicator) 

6. Funding institutions 

…..and more 

Looking at this from a Network Perspective empowers practitioners to automate against known suspicious data points such: 

1. The phone number that call customer service, 

2. The device used to interact with the platform 

3. The shipping address used for the authorized card / user 

4. The name of the authorized user 

….and more. 

By leveraging network information, practitioners are afforded the opportunity to leverage the insights provided by peers’ operations to make a decision in the moment and apply these findings downstream and across the entire platform. 

Schedule a consultation with one of IPQS Fraud Experts today!

Sponsored and written by IPQS.

The Bluekit phishing-as-a-service platform continues to evolve with nearly 70 new hostnames identified over the past week, and by adding browser-in-the-middle (BitM) capabilities for improved data theft.

First documented in April by Varonis researchers, Bluekit provides an AI assistant that supports multiple large language models (Llama, GPT-4.1, Claude, Gemini, and DeepSeek) for drafting phishing emails.

At the time, the phishing kit offered “customers” 40 distinct templates targeting popular online services such as Outlook, Hotmail, Gmail, Yahoo, ProtonMail, iCloud, GitHub, and Ledger.

A new report from digital risk protection company Netcraft warns that Bluekit has switched from adversary-in-the-middle to a BitM mechanism that uses the open-source JavaScript library ‘rrweb’ to serialize the page’s DOM and stream it over a WebSocket connection to the victim.

In a BitM attack, the victim interacts with a browser session controlled by the attacker, which loads the legitimate login page and relays requests and responses between the victim and the target service.

Netcraft notes that rrweb itself is a legitimate project widely used for session replay and analytics, and its presence in a web environment should not be interpreted as an indicator of compromise without a larger context.

Images, fonts, and CSS are fetched through the phishing infrastructure, while the victim’s inputs are forwarded back to the attacker’s browser.

The researchers state that rrweb was chosen for its excellent visual fidelity, real-time interactivity, and bandwidth efficiency.

However, some latency still exists, so any keyboard input and mouse click delays on the login pages should be considered as red flags.

Authentication completes in the attacker’s browser, granting them a valid session token and unlimited access to the victim’s account.

The BitM attack method has been known since 2022, devised by researcher mr.d0x and later adopted for malicious activity.

Before stealing the credentials, Bluekit uses a comprehensive victim qualification system to distinguish real targets from researchers or security crawlers.

Anti-analysis systems in the latest Bluekit include:

• Randomized CSS filters to defeat screenshot-based detection.
• A large (>1 MB), frequently changing obfuscated JavaScript bundle.
• Custom CAPTCHA that may imitate Cloudflare or the target brand.
• Browser fingerprinting (RAM, CPU cores, screen resolution, language, headless browser detection, anti-fingerprinting extensions).
• WebRTC-based IP mismatch detection to identify users behind proxies or VPNs.

Netcraft also reports that the live (5-second update interval) monitoring system Varonis previously documented is still available in BlueKit, allowing operators to monitor victims as they are entrapped in deceptive login sessions and track their actions after login.

The researchers’s report provides a set of indicators and signals that are associated with Bluekit but do not constitute indicators of compromise.

These include CSS filter manipulation on top-level HTML elements with randomized values, an obfuscated JavaScript bundle that is rotated periodically, browser fingerprint checks, a WebSocket connection sending encrypted or binary data on login pages, and WebRTC IP mismatch detection on the landing page.

For organizations looking to defend against increasingly sophisticated phishing, business email compromise (BEC), and account takeover (ATO) attacks, BleepingComputer is hosting a webinar with Abnormal titled “Stop chasing alerts: Automating email security with behavioral AI.“

The webinar will explore how behavioral AI can help security teams detect and respond to modern phishing attacks, automate investigations and remediation, and reduce the operational burden caused by alert fatigue and increasingly sophisticated social engineering campaigns.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

SSD prices aren’t what they were a year ago, so any sort of saving right is probably worth – especially if it’s a purchase you need.

The Crucial P310 is down from £219.99 to £182.99, saving you £37 on a 2TB M.2 SSD that hits sequential read speeds of up to 7,100MB/s across both Gen3 and Gen4 laptops and desktops.

While this is far from the cheapest this SSD has been, it is the cheapest we’ve seen it for a few months.