Scammers Pretend to be Victims in Ukraine — Low-life scammers often prey upon people who are already victimized and in pain. We demonstrated that last week in our top story about a woman who lost her dog and was targeted by a scammer because of her loss. As the one year anniversary of the war in Ukraine approached, it got more and more attention in the media across the world. This included attention from scammers! We saw more and more examples of advance-fee scams from people pretending to be in Ukraine or representing someone who was there. Most of the scammers pretended that they needed to get money out of the country. Some even pretended to be in Russia and claimed that they needed to get money out of Russia because of their war against Ukraine. Our friend Rob was on the front line of these scams and had many to share with us and our readers. Check out the lies and deceit perpetrated by these scumbags who try to take advantage of the suffering of Ukrainians, including a supposed financial firm called Advance Financial Services Group.
Below are two brief emails of the types of scams one might expect. They wreak of fraud and have all the signs of “419” scams, otherwise known as advance-fee scams. (419 scams are named after the Nigerian penal code, the country from which many originate. You can see many more of these on our webpage, including the tell-tale signs that an email represents a 419 advance fee scam.) An important “poker tell” in these emails concerns the email addresses themselves. In the these first two emails, notice that the name provided by the scammer in the text field does not match the name used in the actual email address. (For example, Borysko Olena is NOT Kahill Mohammed) But most often, these scammer will send an email from one address and either ask you to reply to another email address OR the “reply-to” address is different than the sender’s email!
Like any good fictional story, the better 419 email scams try to connect with you emotionally and ask for your help. Such was the case of an email that landed in Rob’s inbox. Our friend, and scambaiter, sent us this bizarre email that he received on February 1 from a Captain Keith C. Robinson, of the U.S. Army. Rob added “It seems many of my emails are from selfless people helping others in Ukraine.” He also added “I expect Turkey to surpass the Ukraine soon” regarding 419 scam emails. When you read this email from Captain Robinson, we think you’ll agree that it contains several serious “red flags” and parts of it just don’t make sense. For example, the fact that Captain Robinson uses awkward English and is clearly not a native English speaker. But that didn’t stop Rob from responding with a simple “Why did you pick me? What do I have to do?”
As we try to make sense of the Captain’s response below, he is acting on behalf of a family who suffered unimaginable loss in Ukraine at the hands of the Russian invaders. The Captain says that the mother, who is dying in the hospital, wants Rob to take the only surviving daughter to the U.S. to raise and educate her. The mother offers Rob the family’s wealth of $4.8 million Euros! This is all in response to Rob’s very short reply, asking why him and what does he need to do. In Captain Robinson’s next email, sent the next day, notice that he’s handing off the next steps to another email address, supposedly belonging to a Doctor of the injured mother.
This growing fictional narrative becomes more and more bizarre. Why should Rob contact the woman’s Doctor to handle securing the “family fund?” In case it wasn’t already obvious in the first email from Captain Keith C. Robinson, we hope you noticed in his second email that Keith Robinson has serious problems with pronouns! For example, Captain Robinson says “our only surviving daughter” when he should have said “her only surviving daughter.” But that didn’t bother Rob! He was extremely eager to help and immediately contacted Dr. Mariana Vann Holbrook via “his below email” even though “Mariana” is typically a woman’s name. This exchange of emails continued for another ten days and Rob was also asked to contact a Dr. Hans Wagner.
Captain Robinson also claimed that Dr. Holbrook has all documents to get the family funds to Rob. (Dr. Hans Wagner’s Email is Dr.Wagner_Hans@protonmail.com and WhatsApp Number is +49 (178) 5488 154) Rob contacted Dr. Holbrook through her email and received a reply that sets the stage for the most important part of this scam, access to the money! We learn that the $4.8 million Euros resides in an account with Advanced Financial Services Group.
We investigated Advanced Financial Services Group’s website at afsgltd.com and gained some interesting clues that STRONGLY suggest this website is a complete fraud and it led us to other fraudulent websites as well…
- This Financial Planning service shows a copyright date of 2018 at the bottom of their website. And yet, their domain, afsgltd.com, wasn’t registered until July 28, 2022. And rather than being registered TO THE BUSINESS ITSELF, it was registered anonymously in Iceland using the favorite registrar of cybercriminals, called Namecheap!
- Using the content on the AFSG Ltd website, we were able to find a second fraudulent website called Sovereign Wealth Portfolio Limited at the domain swpltduk.com. This second fake website was registered just 5 days before the AFSG Ltd website, though this second website says they were founded in 2008. This second site has the exact same management team as the AFSG business, such as “Head of Mandate” Dr. Dwight Cambridge.
- Another interesting and suspicious fact is that one of the names found on both of the scammer’s websites mentioned above is a “Senior Associate” Mohamed Moustapha Kone. Google also found this name and title associated with a third financial services website registered in 2021 but no longer publishing its website. It is called afinservgroup.com. Mohamed Moustapha Kone’s biography was found on a webpage that has the name “mohammed-abdallah-musa” in its title It turns out that this name mismatch can also be found on the AFSG Ltd website:
These breadcrumbs reveal something very important about this 419 scam. These cybercriminals have been using these websites for several years to support their online fraud. This likely means they have had some success victimizing people in order to keep doing this for a few years. And that saddens us. Of course Rob reached out to Advanced Financial Services Group, as requested by Dr. Wagner. On February 16 he got this reply. Rob’s purpose in baiting these scammers was two-fold…
- Waste their time (and give them hope that they had another potential victim). Rob strung them out for as long as he could before calling them out as scammers
- Discover any supporting websites they used for their scam and pass them on to folks like us and Scamadviser.com so we can publish them as fraudulent.
Thanks again Rob, for all your efforts and time!
We have far too many scam emails that use the horrible war in Ukraine as the backdrop than we have space to share in our newsletter. However, we’ll leave you with one more email that represents another trick commonly used by 419 scammers. Check out this email from “Reverend Sister Alfira Miguel, of the Greek Catholic Church. 419 Scammers OFTEN use God and religion to make potential victims think they can be trusted.
Check Out The Latest Scams — Check out the latest scams: FedEx, DHL, and Apple. Can you spot all the scams? Protect yourself with this FREE, all-in-one tool.
Supporting Women Around the World — March 8 is “International Women’s Day.” This event is supported and promoted by a United Nations organization in support of global equality. James at Scamadviser published an excellent article on the Scamadviser website about Women’s Day WhatsApp Giveaway Scams. James’ article warns people about giveaway scams that pop up just before and during Women’s Day every year. We invite you to check it out:
And as long as we’re focusing attention on global equality for women, we want our readers to know about an incredible and worthwhile organization called SOLA (School of Leadership in Afghanistan). SOLA was recently put in a positive spotlight when the U.S. News show called 60 Minutes described this amazing organization and its founder, Shabana Basij-Rasikh. If you believe, as we do, in helping young women improve their lives through better education and opportunity, watch the 60 Minutes episode and consider making a donation to SOLA!
On the other hand, this next email, claiming to want to use MILLIONS of Euros to assist people suffering from the war in Ukraine, is complete BS and a fraud! You may think someone wants to give YOU money to support their cause but we guarantee it will cost you money instead! Notice that this email came from a server in Portugal (“.pt” = Portugal) and you’re asked to reply to a different email created through a free email service located in South Korea called Kakao[.]com.
OK, we can’t help but show you just one more bizarre 419 scam that our friend Rob shared with us from January and claiming to be connected to Ukraine. This “Apple Promo” email actually came from a server in Italy and told Rob that he won a MacBook Pro along with three quarters of a million dollars FROM Apple and Ebay! Of course, the email didn’t come from either apple.com or ebay.com. And why would this promotional email represent Ukraine? This is complete nonsense.
Emails Thanking YOU for Your Payment — Phishermen must find it very successful to send emails such as these, confirming that a payment was made by someone for something they never purchased! These are tricks to get you to pick up the phone and call them which is very dangerous! That’s where they trick victims into giving up information that is monetized by these scammers. Check out this recent email claiming to be a payment notification from Microsoft for nearly $300. It’s a total lie, of course.
And check out these lying emails pretending to be from Norton Security and Paypal, respectively. If you have a foghorn can lying around, we encourage you to protect your ears, call any of the phone numbers listed in these scams and as soon someone answers the number blast them with the horn!
Netflix, Senior Discounts, and Nordstrom — This email to “update your billing information” did NOT come from netflix.com. In fact, it came from a bizarre personal iCloud account. Of course, the links in this clickbait don’t point back to netflix.com either. You know what to do!
Why should you trust an email claiming to have “18 of the hottest senior discounts” but coming from a personal Gmail account you don’t recognize? This email looks like some kind of promotional marketing piece but the links all point to a malicious website called mudbreak[.]com! Sucuri found possible malware lying in wait at the end of this link. Deeeeeleeeeete!
We received this bizarre email in one of our honeypot accounts. Notice the domain name that cybercriminals created…. NordstromSurveyz[.]shop. It’s hosted on a server in France! Nordstrom is a luxury department store in the US. They didn’t create this domain and they don’t send emails about “unclaimed rewards.” This malicious “shop” domain will also forward you to another malicious domain we found 2 weeks ago called bestshoppingpint[.]co. Run away!
Receive Delayed Messages and Upgrade Mailbox — Check out this lovely “Server notification” telling you that 14 of your emails were stuck in the server and not sent to you. How ridiculous is that? The link in this clickbait was found to be malicious by five online security services!
For months, cybercriminals have been telling us that we need to upgrade our mailbox for one reason or another. We love these emails! This latest one contained another link to a misused service at dweb[.]link. Two security services found malware lying in wait for us to arrive. We decided to tip toe away from this upgrade. They say we can no longer receive email but we guarantee that we’ll get more of these clickbait emails from these scammers!
Inappropriate Text is Malicious Clickbait — We’ve seen all kinds of threats disguised as texts but we have never seen a malicious text pretending to be related to pornography, until now. This inappropriate text (cleaned up so we can post it) contains a link to a website registered in France, hosted in India (“.in”) and only 4 days old! Oh yeah, did we say it was registered through Namecheap? ‘Nuf said. Delete.
Finally we have this crazy, nonsensical text that kinda, sorta, looks like it is related to a Netflix service, but it’s not! Your account is on “Hoid” but you can renew by clicking another malicious link. No thanks!
Until next week, surf safely!
Copyright © 2023 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com
Keurenplein 41, UNIT A6311 | 1069CD Amsterdam, The Netherlands