He Was Targeted by the Same Scammers for Years! — A couple of weeks ago a man in South Africa asked us to help him evaluate whether or not we thought a website was a fraud. The website was Recovery-System[.]net. As usual, we turned to a WHOIS tool to evaluate who registered this website, where, and when. We told the man that we couldn’t trust this “recovery” website for several reasons. After describing these reasons to the man, we learned that this website was part of a long, 4 year old con-job that began in 2019 when the man had made an investment of $250 in a cryptocurrency. This man’s loss to a bogus cryptocurrency didn’t surprise us, but what did surprise us was how long the cybercriminals had continued to pursue him, hoping to victimize him again! Come with us as we detail what happened to him, and continued to happen to him.

We’ll call this gentleman Albert to protect his identity. Albert was suspicious when he was contacted by a recovery service “Recovery System” claiming to have recovered his original $250 stolen 4 years ago.  We urged him to be cautious because the WHOIS Record for this domain, Recovery-System[.]net, showed us that it was registered in the Netherlands just 24 days ago and is hosted now on a server in Quebec, Canada.  Any website less than 2 months old is HIGHLY SUSPICIOUS! Also, the Registrar that sold that suspicious domain was NameCheap. NameCheap has a terrible reputation for selling domains to cybercriminals and “turning a blind eye” even when people report that a domain is being used for fraud or malicious intentions. (Frankly, we wonder WHY this horrible company is allowed to stay in busy and we would love to see a Class-Action lawsuit brought against them!)

After raising these suspicions, we did a Google search for the domain recovery-system[.]net in Firefox, which allows us to search for a domain without actually visiting it.  NOTHING showed up in Google.  Google knew nothing about this website, as if the website didn’t want to be found.  That is also very suspicious. And yet, our Google search found other similar domains that looked a lot like recovery-system[.]net.

Albert told us that about 4 years ago he became interested in cryptocurrencies and was approached by an investment firm named GetFinancial[.]com. At that time he decided to invest a modest $250.00. However, not long after, GetFinancial[.]com completely disappeared and went offline. He never recovered his money or learned what happened. Albert filed a complaint against this company with the authorities in S. Africa. We used the very powerful search tools at WHOISXMLAPI.com to research this old domain and learned that it had been registered as long ago as 2005. HOWEVER, this domain had changed hands multiple times over the years and through multiple Registrars around the world. In every instance, except for a 2 year period in 2016-2017 when it appears to have been purchased by a domain squatter who registered it in Estonia, this domain was always purchased through proxy services. The identities of the owners behind this domain were always hidden.

About 2 months ago, Albert was contacted by Recovery-System[.]net to say that they had found and recovered his original cryptocurrency account and it was now worth about $41,000.00!  Albert was confident that this was a scam perpetrated by the same people who had stolen his original investment and he decided that he was going to “hit back” at them by wasting their time.  So he kept stringing them along, but never giving them more money.  Several weeks after that contact from the “recovery service,” he was told that his $41,000 was now worth more than $80,000.00! Albert sent us these two screenshots from his account and we couldn’t help but notice the discrepancy between the domain name, Recovery-System[.]net, and the name of the business in his account, Recovered Assets Systems.  We suspect that this group of cybercriminals has used many similar sounding names for their businesses and websites.

Apparently, R.E.S. or Recovery-System[.]net, was asking Albert to open a digital wallet with them so that they could transfer the money over to him. However, he needed to move $100 into their digital wallet to complete this transfer!  They explained that their service needed to see a transfer between Albert’s bank and their digital wallet to verify the legitimacy of the transaction, after which they could begin the transfer of Albert’s recovered funds to him through this digital wallet.

Of course, all of this was complete nonsense and Albert knew it! He told us that when he spoke to these people over the phone, it would often sound like the man he was talking to was in a mall or a bar somewhere, but not in an office. These scammers also kept pushing for access to Albert’s laptop through remote-control software called AnyDesk!  Having a scammer use AnyDesk to control a person’s laptop is extremely dangerous!  Albert kept pushing back to see what excuses they would invent and there were several! Over and over, Albert kept reinforcing that he would not pay a single cent to open any new digital wallet or to pay any fees to recover his funds.  These scammers have called Albert many times, continuing to push their scams and trying to give reasons why Albert needs to do what they suggest. 

Albert recorded one of these phone calls with an “R.E.S. Supervisor” and shared it with us for our readers to hear.  Below is that phone call, which runs close to 10 minutes. The quality of the recording is not great but you can hear most of what’s being said. About 5 minutes into the call, the scammer tries to explain to Albert that they need to install something called “Screenleap” so they can watch Albert set up the new digital wallet and verify his actions. That’s also TOTAL nonsense! Albert pushes back and says that any future calls from the representative at R.E.S. MUST be via WhatsApp video chat so Albert can see the person at the other end!  The supervisor pushes back and says that’s not possible. Albert tells him then that he won’t do business with them. He’s already lost his original funds from 4 years ago and he doubts he’s getting anything back.  In the end, Albert calls out these scammers for their fraud and hangs up on the “supervisor.”  This call was on May 22  with the number +27794607885:

In case you didn’t know, cryptocurrencies are not regulated EVEN IF you are working with a legitimate cryptocurrency seller. But sadly, cryptocurrency sales, investments and exchanges are like a wild west! And cybercriminals take full advantage of that fact. (Check out the 2 texts below in this week’s newsletter!)  Albert recognizes that he’ll never get his original investment back and he’s made peace with it. The fact that these scammers have persisted for years to target him is the point we want our readers to understand. At one point Albert tells us he even changed his email address to stop being contacted from these scammers but they found his new email anyway. Across many different kinds of scams we’ve learned that victims may be targeted again and again, over years, by the same scammers. It’s horrible to think that once you are a victim, you may continue to be a target of these low-life bastards for years to come.

USPS, Walmart, Memorial Day, Father’s Day, and MORE — Top scams of the week: USPS, Walmart, Memorial Day, Father’s Day, and MORE. Can you spot all these scams? Check out and protect yourself with this 100% FREE, all-in-one tool.

Another trick in the scammer playbook is to register a domain that is VERY SIMILAR to a real domain. We see this often, such as in this email that claims to represent the non-profit organization called the Scott Foundation. There are several related domains for the Scott Foundation but scottfoundationinternational[.]org is not one of them!  This domain was registered about a month ago and this email came from an entirely different oddball domain! The sender’s name was “tonya” while we’re asked to reply to Emilia Lucas.  This is just another variation of an advance-fee 419 scam.

Deeeeleeeete!

We often step onto our soapbox and yell out about the abuse of privacy of people’s personal information by legitimate companies. Here’s another sad, but perfect example of this abuse. If you own a voice-activated Internet device like Amazon’s Alexa or Ring’s home security camera, you’ll want to read these alerts from the Federal Trade Commission. It shouldn’t surprise you that these companies have collected data from you with these devices and haven’t been forthcoming about how/where that data is collected, stored and kept, or who has access to it! CAVEAT EMPTOR!

https://consumer.ftc.gov/consumer-alerts/2023/05/ftc-says-amazon-didnt-protect-alexa-users-or-childrens-privacy

https://consumer.ftc.gov/consumer-alerts/2023/05/rings-privacy-failures-led-spying-and-harassment-through-home-security-cameras

Finally, this article on Malwarebytes was shared with us and we think it is a worthy article to read! It highlights the fact that search engines such as Google can be manipulated by scammers posting Ads for products or companies and the ads are not real. They are malicious clickbait! 

https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there

Amazon Order, American Express and Your Intuit Account — We’ve noticed a jump in these very poor quality phishing scams disguised as Amazon emails. Of course, they don’t come from Amazon and the entire email is a low resolution screenshot containing a phone number to call the scammers. Oh, that and your order is being sent somewhere else and not to you. However, we have an additional warning for our readers… If you are of a curious mind and decide to search Google for these bogus phone numbers used by the scammers, such as 810-476-4111, be exceptionally careful about the links that Google returns.  More often than not, they include links to malicious websites in other countries, most often Turkey (“.tr”) and Russia (“.ru”).  See our screenshot below!

Here’s another “lovely” variation of this type of Amazon phishing scam.  The scam came as an attached pdf file from a personal Gmail account, not Amazon!  The package is going to be sent to a “Robert Garcia” whose name is often used in these scams.  He must enjoy getting all these free products he didn’t order!

Gmail is so frequently abused by cybercriminals. Check out this bogus email, sent from a free Gmail account, that claims to be from AmericanExpress.com.  It claims to have sent you an “encrypted message from the American Express Security Team” but what you’ve got is an attached pdf file claiming to be about your account starting with 37XXXX. Guess what? ALL American Express cards begin with 37! The link to “verify here now” points to a website called “cli[.]co” and NOT AmericanExpress.com!

Delete!

This final phishing scam may say that it came from the “Quickbooks Intuit Support Team” but the actual email address was setupaccountmerchants[.]com. MOST importantly is the link to verify your email address points to a malicious mimic for Intuit. Notice that the domain it points to is intuitcpas[.]com, rather than intuit.com. This mimic was registered just 2 days earlier. You know what to do!

JC Penny Survey, Costco Winner and Harbor Freight — We define “crap domains” as domain names that seem to make little or no sense whatsoever. This email about a JC Penny survey to earn $50 came from the very pinnacle of a crap domain: u3d29qsyj46wfh9whc[.]com.  Sounds a lot like jcpenny.com, right? Sadly, the link in this clickbait points to the very legitimate, but misused service called Googleapis.  Don’t trust it! This is 100% malicious. Two security services confirmed this for us.

Costco is an American Company and also NOT a University. And so we find it hysterically absurd that this “Costco” email came from a University account in Ecuador! The cybercriminals who sent this clearly can’t make up their mind whether to entice you with a gift card for $500 (500$) or $1000. Look closely at the email! Either way, in order to receive your “fantastic prize” you’ll have to click an abused link to the link-shortening service at LinkedIn. (t.co) That shortened link will forward you to a website, sorbeet[.]com that has been confirmed as malicious by 6 different security services.

LAUNCH DELETE!

We’ve pointed out in the past the various hardware store chains have been heavily abused by cybercriminals, including a chain called Harbor Freight. This email disguised as another “Loyalty Program” offer came from a University account in Malaysia. Notice how poorly the Subject line is written. This is done on purpose to help criminals avoid the anti-spam servers set up to protect you. This email employs a classic cybercriminal trick called a “redirect.” Clicking the malicious links in this clickbait will actually send you to another website not shown. Visitors will be redirected to a website hosted in Russia and called yoqusts[.]com.  Yoqusts[.]com has been identified as a phishing website. We decided to visit this landing point and discovered that the phishing page greeting you is a well-known phishing graphic that we’ve been seeing for more than 7 years and used heavily by a particular cybercriminal gang! Check out our screenshots below. DON’T believe the reviews you see listed online! Reviews are often fake, paid for, manipulated and unverifiable! The best hope that reviews may be legitimate are when they appear in the MANY hundreds or thousands. Another trick used in these phishing scam sites designed to collect your personal information is the timer that typically appears at the bottom of the site. It commonly begins at 6 minutes and 30 seconds. This timer is pressure for you to complete your survey quickly, without thinking about the risks. However, if you landed on a page like this with a timer and simply waited for the timer to click on down to zero, guess what happens? It just starts over! (We’ve done this dozens of times!)

Ray Ban Discount — We are so very excited! We received an offer in our email for a 90% discount for Ray Ban sun glasses! We’re imagining how cool we’re going to look in these sunglasses and pay so little for them! Can you say “knock offs?”  Not exactly.  The links in this clickbait point to a well-crafted domain name called 90off-rb[.]com. But wait. On further inspection we noticed that this lovely email came from a very crap domain in Russia! Hmmmmmm. Maybe not such a good offer afterall. Looking for the delete key….

Bitcoin Investment Advice —  In our Top Story we told Albert’s story about losing $250 to a cryptocurrency scam about four years ago and how it has come back to haunt him several times. Coincidentally, in the last two weeks we’ve seen these wonderful educational offers via text from unknown numbers/people about investing in cryptocurrencies. The first, coming from 559-370-3323, offered a Whatsapp link and an invitation to “sit down” with an analysis investment group and earn $1000 to $10,000 a day! Wow! That’s some return on investment! If you believe it, we also have some wonderful real estate to sell you in Atlantis!

One of our readers sent us a similar text invitation from 581-601-8982 to join a BTC analysis group, and also earn the same money in a day! What makes this invitation so funny is that it begins with “Hi Dear” as if it’s our grandmother reaching out to us. How cool that Grandma is into Crypto! You know what to do!

Until next week, surf safely!

Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster