Select Page
Weekly Alert  |  March 23, 2022

Rotary clubs around the world have taken swift action to provide food, water, medical equipment and shelter for Ukrainian refugees. Click on the image above to donate.

    Meet Fraudster Dr. Albert Johnson — About a week ago, a 39 year old woman (from Lithuania) reached out to us for assistance.  Though her English was not good (but better than our Lithuanian), we learned that she had been victimized by a series of online fraudulent scams, losing about 60,000 Euros in all! The story was a bit confusing to understand but it began on April 5, 2021 when a man who identified himself as Dr. Albert Johnson, contacted her via Instagram. To protect her identity, we’ll call her Beata.

    After a brief introduction over Instagram, Beata and Dr. Albert Johnson continued a friendly conversation using the Google Hangouts app. He told Beata that he was an American, under contract to work for five years in Afghanistan as a military doctor. (This is RED FLAG #1 because this is a familiar story used by scammers.) Prior to this, Dr. Johnson had been living in Texas. He also told Beata that it was a dangerous job and he had only completed 2 of his contracted 5 years.  Lately, he said, it was getting even more dangerous. (Think back to what it was like in Afghanistan last year!)

    After about twelve days of correspondence, Dr. Johnson actually asked Beata to be his fiancé in a formal document to send as a request to the United Nations as an excuse to come home. He wasn’t actually proposing, but asking for a favor. (This is RED FLAG #2) He had told Beata that only close relatives — wife, fiancée, sister, brother, etc. could provide reason enough for a sudden trip home.  It turns out, according to Dr. Albert Johnson, that his wife had passed away, as had his elderly parents.  He had a 14-year old son back the U.S. living with a caregiver.  Beata told us that she doubted him a lot but he kept pushing, trying to persuade and plead with her for help.  After a while, she finally agreed.

    Dr. Johnson said that Beata would need to send this formal request via email to the following Gmail address:

    unitednations19677@gmail.com

    NOTE: As most of our readers will recognize, this email address is a complete fraud!  As you can see on this webpage from the REAL United Nations website, any email address representing the REAL United Nations, will end with un.org after the “@” symbol.  By contrast, Gmail.com is used for personal (and sometimes fraudulent) emails that anyone can create, saying anything at all, such as “unitednations19677.”

    Dr. Johnson told Beata that her request, on his behalf, was just a formality.  Suspiciously, she asked if she would be asked to pay anything to file this request.  He replied that if that was the case it would only be a small amount of money. (RED FLAG #3) It’s interesting to note that Dr. Albert Johnson, presumably working in the U.S. Military, was also using a Gmail address: johnsonalbert90080@gmail.com.  On April 17, Beata received the following email from “Thomas” at the “United Nations.”

    Beata replied, confirming that this was her “fiance.”  Because she now trusted Dr. Albert Jonson, Beata had not thought to conduct a reverse image search of that photo.  Had she done so, she would have learned that it is a stolen image of Dr. Fernandes Gomes Pinto, of São Paulo, Brazil. Dr. Pinto’s images have been used by Romance Scammers on the Internet since at least the Spring of 2020.  You can see many reported romance scams using his image on RomanceScam.com. A group on Facebook called Scam Stoppers has posted a lot about how Dr. Pinto’s images are being used on many dating websites by romance scammers, as well.  And here is a link to a short video exposing these photos as scams. This video includes the REAL Brazilian doctor himself, Dr. Pinto, speaking on YouTube about the misuse of his photos by romance scammers!

    But Beata had no idea that the man she was helping was a fraud and not the man whose pictures she saw on Instagram or via email.  After confirming to the “UN Official” that the man in the photo was her fiance, the Official replied that he would look into her request. Though their correspondence was in English, Beata couldn’t see that Thomas’ English was poor and the emails also contained errors in grammar and punctuation that should also have raised suspicions. 

    Finally, just two weeks after meeting “Dr. Albert Johnson” on Instagram, Beata heard back from the UN Official on April 19, 2021 informing her that she had to pay 3,500 Euros for Doctor Albert Johnson’s Holiday Certificate! This is another HUGE RED FLAG (#4) that Beata should have walked away from immediately. She even told us that she was very scared and alarmed. She didn’t have that amount of money. When she explained this in an email to Albert Johnson, he reassured her that he would pay her back. As proof, he sent her a photo of his bank account showing a large amount of money from which he could pay her back. He also  informed her that he was not able to move that money from his account while working under contract with the United Nations, as a security measure. He said that this was a part of his contract with the U.N.  This, of course, is another lie!  Sadly, Beata hesitantly agreed, and took out a loan of 3,000 Euros and paid the remaining amount from her own savings.  3500 Euros is today worth about $3,875, a significant sum, especially for someone who needs to take out a loan for most of it!

    We’re terribly sad to report that Beata’s inexperience and trust in this criminal made her a continued target, over and over. This blood-sucking leech continued swindling her over and over, sucking as much money from her as he could get. Additional scams involved fake banks. For reasons that are not clear to us, Beata had arranged for a loan with a “Lithuanian Bank” called Blrak Bank (blrak.com). This bank was also a scam! Blrak.com was registered anonymously on March 12, 2021 in Iceland, about 3 weeks before meeting Dr. Albert Johnson.  Today, there is no longer a website at the domain blrak.com, but we found this former image of the main page.  This webpage is in French but the site was capable of showing many languages…

    We also found a French website that exposes online fraud called Signal-Arnaques.comThis website listed the blrak.com email address as a suspected scam.  Someone reported this fake email associated with another fake online bank offering easy loans, including student loans at 3% interest.  The other fake bank was called suissefinance-ch.com

    As you might guess by now, Beata was hearing from both the “bank” that there were problems with her transfer, AND from the U.N. Official that she now needed to pay for Dr. Johnson’s flight back to Texas. (Major RED FLAG #5)  And, as expected, Dr. Albert Johnson was promising to pay Beata back for her expenses and help.  We’re certain that many of you are shaking your heads and thinking… “how can someone be so gullible to believe this fraud!”  As Beata told us, once she had committed to paying the initial sum of money, she kept sinking deeper and deeper into this abyss because she prayed and hoped to get her money back!  And the only way back was to get Dr. Albert Johnson home. This, of course, never happened.  Do you know the expression “in for a penny, in for a pound?”  It is used to express someone’s intention to finish something once started, no matter how much time, effort, or money it takes.  This described Beata’s mindset. We also suspect that Beata was falling in love with the man she thought was Albert Johnson. In the end, Beata lost about 60,000 Euros to these scams. It was devastating and brutal.  She regrets it terribly and is worried about how she’ll recover financially from her mistakes.

    About 4 months after she stopped paying these scammers, she received another set of emails from “Dr. Albert Johnson” which, perhaps surprisingly, she shared with us. You see, what makes this fraud so much more embarrassing is that Beata fell in love with a fraudster though she was already married and with a young child. Following this email below, Dr. Johnson offered to repay her 50,000 Euros from his bank account and gave her the information she supposedly needed to make the transfer herself.  BUT she discovered that the money could ONLY be transferred if she paid a “transfer fee!”  She didn’t.  The bank was fake, of course.

      FOOTNOTE: It may surprise you to learn that after paying over and over for the many “problems” that came up while trying to help Dr. Albert Johnson get home from Afghanistan, Beata finally thought to conduct a reverse image search of the photos he sent her.  Sometime in July, 2021, Beata stared in amazement as she learned that the man she thought was Dr. Albert Johnson, was actually the Brazilian Neurosurgeon, Dr. Fernandes Gomes Pinto, from São Paulo, Brazil.  Beata told us that she then spent months contacting online companies who specialize in getting money back that was lost to online fraud. But, as the expression goes, that is like throwing salt on an already open wound because most of these companies are scams as well.

      The Dangers of “XYZ” Recently we’ve seen a lot of fraud disguised as websites using the global top level domain (gTLD) called “xyz.” A gTLD is represented at the end of a domain name.  Longstanding and famous gTLDs that everyone will recognize include “com” “org” “edu” and “gov.”  Everyone can recognize these global top level domains in websites like…

         Amazon.com

         Redcross.org

         Harvard.edu

         Cdc.gov

      While these are but a few of the many hundreds of gTLDs that are available today, they are the oldest internet gTLDs and are more trusted.  (Keep in mind that all gTLDs can be abused!) HOWEVER, if you see a global top level domain ending in “xyz” you should NEVER click on that link or visit that website! In our experience, 100% of the time that website is malicious.  Here are a few examples…

      1. In early March, TheDailyScam.com received an email from “Ed Harris” asking us if we needed working capital. The email came from fundingleaders[.]xyz.   We were immediately skeptical of this unsolicited offer.  After conducting a Google search, we learned that there was no such business at the address the Mr. Harris listed in his email. A Google search for this property shows a bunch of garage doors as if this is a storage facility.

        2. Our second example concerns a text that we received on March 14th from 416-859-3457. “It seems that you have forgotten to claim your package from us.”  We were invited to click a link to a domain called 0lm[.]xyz. This crap domain was registered in Spain just 3 days earlier, and we all know what that means…  100% malicious!

        We urge our readers to ALWAYS look at the global top level domain found at the end of the name of a website.  You’ll always find it just in front of the first single forward slash, separated from the domain name by a period.  In this week’s newsletter, you’ll see many more examples of another malicious gTLD being used a lot by cybercriminals lately.  It is “cam” (NOT to be confused with DOT-com.) Anytime you see an oddball gTLD just in front of that first single forward slash, be VERY CAREFUL! The odds are that it is most likely malicious.

        Amazon Account on Hold and Your Norton Life Lock Subscription One of our longtime readers sent us this smelly phish disguised as an email from Amazon.  Most readers will look at the text that immediately follows “FROM” and think that this email came from no-reply@amazon.com, but that’s not true!  That email address was placed into the text field!  This email came from the crazy malicious domain called ath0s4bxsztv[.]com that appears between the <> symbols.  Also, the link to sign into your Amazon account actually points to LinkedIn!

        Cybercriminals are capable of using links for LinkedIn that will redirect you elsewhere on the Internet. This Linkedin.com link is designed to redirect victims to a malicious phishing website in the Philippines that is well known by cybersecurity services.  Deeeeleeeete!

        Another one of our readers sent us this lovely short email from “Slade Waters” who used a personal Gmail account instead of some business domain.  “Thank you for choosing us.”  The attached pdf file showed a receipt for the purchase of Norton Life-Lock for nearly $400.  However, the recipient was invited to cancel this order by calling the scammers at 740-561-1357.  Notice that this pdf invoice contained no name or address of the recipient.  It is, after all, just a fraud. Delete!

        Seafood Delivered to Your Door, Best Real Estate Deals, and a Precision Screwdriver! During the ten years that we’ve been informing readers about online fraud and malicious intent, we’ve seen many hundreds of types of clickbait. But this is the first time we’ve ever seen clickbait disguised as an offer to buy “Healthy, Delicious, Wild All American Alaskan Seafood.”  This email wants you to believe it is associated with USAWildSeafood.com but if you look closely, you’ll see that malicious gTLD called “cam.”  This email came from zogbhiir[.]cam and the links point back to it!  If you look at the link revealed when we mouse-over, you’ll also see that this clickbait came from the infamous Hyphen-Poopy gang in India!

        This malicious domain, zogbhiir[.]cam, was registered just 4 days earlier and is hosted on a webserver in Moldova! And in case there was any question about this email, the Zulu URL Risk Analyzer also thought the link to this crap website was malicious! ‘Nuf said.

        While we’re looking at the dangerous gTLD identified as “cam” let’s take a look at “the best real estate deals” near your area.  Except these exciting deals came from the domain qamzkas[.]cam.  The “perfect home” is NOT here and, once again, mousing over the link shows that the Hyphen-Poopy Gang is responsible for this clickbait.  They hyphenated the words ensurers and Pearce in the link. And just like the above malicious DOT-cam domain, qamzkas[.]cam was also registered just 4 days ago and is hosted on a server in Moldova.

        And finally, we’ll leave you with this lovely advertisement we received in our inbox for a “precision screwdriver.”  The crap gTLD used here is “xyz.”  This domain, ew4gtwv4[.]xyz, was registered in Iceland 3 days before this offer landed in our inbox.  You know what to do.

        Package Redelivery Notice, Audio Note Received – Another reader sent us this lovely notification, presumably from the U.S. Postal Service, telling him that a package intended for him could not be delivered.  Fortunately, he’s smart enough to notice that this email came from the crazy domain any[.]repair!  Oddly, this malicious domain has been in use for nearly 2 years!  It was registered in Qatar! Malware lies in wait.  Deeeleeeete!

        Apparently, some international cybercriminals don’t know how to tell us that we have a voicemail waiting.  Instead they said “new audio note received.” What lovely phrasing! What also told us this was a lie is the fact that this email appeared to come from someone at a local university.  BIG REVEAL…. University employees don’t tell people that they have received an “audio note.”  The link pointed to a service called Menti.com that is used to create online presentations.  Of course, when we visited that presentation, we found another link that we were invited to click.  No thanks. We don’t need that message.

        Approved Program for a Loan! –We are soooo excited! We recently received a text informing us that we were approved for a $5000 loan! It came from 202-967-1820 and the link pointed to the very cool domain USANewBank[.]com.  Well, that name says it all!  We HAD to visit it.

        The website for usanewbank was charmingly simple and left us speechless how easy we could put our hands on $5000. Being naturally skeptical, we decided to see how long usanewbank had been in business and checked our favorite WHOIS.  Turns out that this domain was registered about 2 months earlier in Iceland.  We were no longer feeling the love.  But it didn’t matter because we received another “open offer waiting!” Yup! This time the text came from 205-793-0624 and the link pointed to an impressive sounding website called TextBankUSA[.]com. (If nothing else, we’ll give these scammers points for name originality!)

        Until next week, surf safely!

        Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
        have subscribed to it via Scamadviser.com or thedailyscam.com

        Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

        Contact Webmaster