Built-in browser hijacked, what do I do?
I did use search - found this "...hijacked the default internet browser" recent post but it did not help (even using suggested there anti-malware app).
Problem: when I open default browser, it goes not to empty page (it's how I setup Home) but to gotoamazing.com. If I open new tab - same thing.
Yes, Chrome is fine but it takes too much memory...
Please, help! I am just an end user, so no "root", regular Android 4.4.2 tablet.
- Welcome to Android Central! Which phone? Go to Settings>Apps>All, select the browser, and Clear Cache/Clear Data, then Force Stop. Now see if the problem persists.
- It's Android tablet.
I've just tried the steps - nope, did not help
- Which exact brand and model is it? Android is just the term for the OS.
Also, try booting into Safe Mode, which temporarily disables all 3rd party apps. On most Android devices, while powered on, press and hold Power until the Power Off menu appears. Press and hold the Power Off selection until the Safe Mode prompt appears. Tap OK.
If the problem disappears in Safe Mode, then something you installed is causing the problem. You may have to uninstall apps one by one until the problem disappears.
- It's a 7" tablet by TooSell - but malware/browsers/etc belong to OS only, right? Same thing as malware in a browser under Windows does not depend on a brand, being it Dell or Lenovo...
Let me try. Nope, same thing - as far as I've read, the malware was brought by some 3rd part application but even though I uninstalled it later, the malware still exist in browser...
:-(Which exact brand and model is it? Android is just the term for the OS.Originally Posted by B. DiddyAlso, try booting into Safe Mode, which temporarily disables all 3rd party apps. On most Android devices, while powered on, press and hold Power until the Power Off menu appears. Press and hold the Power Off selection until the Safe Mode prompt appears. Tap OK.
If the problem disappears in Safe Mode, then something you installed is causing the problem. You may have to uninstall apps one by one until the problem disappears.Originally Posted by B. Diddy
- The reason I asked for the brand and model was to see if I could suggest wiping the system cache partition, which can help with various problems, and doesn't erase any personal data. However, with those off-brand devices, it can be hard to find out how to boot into Recovery Mode to wipe the cache, since the procedure differs among devices.
At this point, you can either use another browser (try Opera Mini or UC Browser Mini if you're looking for something lightweight), or do a factory reset. If you choose the latter, then before the reset, go to Settings>Backup & Reset, and uncheck Automatically Restore. After you do the reset, and after the Setup Wizard is complete, go immediately to Google Play Store, and stop any app from automatically installing. Now see if the stock browser still directs you to that site.
- Yes, I would like to do so (nothing really important I have there - it's my first tablet, I just played with it).
As for the last step -
"go immediately to Google Play Store, and stop any app from automatically installing" -
how would I see such apps that are trying auto-install? Front page will show me?... do a factory reset. ..., then before the reset, go to Settings>Backup & Reset, and uncheck Automatically Restore. After you do the reset, and after the Setup Wizard is complete, go immediately to Google Play Store, and stop any app from automatically installing. Now see if the stock browser still directs you to that site.Originally Posted by B. Diddy
- No, swipe in from the left and go to My Apps.
I had the same problem when using the android browser with a new tab redirecting to gotoamazing every time i looked at a new URL.
I found another post on the web where a similar hijack problem was solved by connecting the tablet to a computer and looking at the android files and then deleting the problem one.
When I looked at the files on my tablet there was one labelled XBKP, which is the prefix on the web address when the tablet was redirected to gotoamazing
Deleting this file solved the problem. I hope this helps
- "Deleting this file solved the problem."
I was not able to find that file - do you remember it's full name and/or a directory where it was located?
P.S. I have no files under Android/data/com.android.browser
- Welcome to Android Central! Could you possibly share that link with us?I found another post on the web where a similar hijack problem was solved by connecting the tablet to a computer and looking at the android files and then deleting the problem one.Originally Posted by robotc
I think I have given the wrong information. The problem came back after I deleted the XBKP file.
I have investigated further and had some success
I downloaded Malwarebytes Mobile and scanned the tablet. It found 6 trojans
Malwarebytes removed the first four on the list but could not remove the last two.These are files for the apps MTK Music Provider and rstech_knile
It appears that this has fixed the problem with the browser for now.
I found a reference to the app rstech-knile which appears to be installed by the factory and allows the installation of malware.
Scroll down to Post from Ralph77 on 1 March 2015
I have disabled rstech_knile so hopefully the problem will not return
I wanted to give an update on the problems with my tablet.
Disabling the rstek-knile app has permanently stopped the browser redirection to gotoamazing.com
There is still a problem with downloads of a LOT of adware. I believe this is caused by MTKMusicProvider. I can force stop this app but the disable button is greyed out. When the tablet is rebooted the app starts up again and a stream of adware is loaded. MalwareBytes picks this up but it is really annoying to deal with.
Is there any way to permanently disable the app or is the tablet heading to the rubbish bin?
- Hi, I had exactly the same problem. My tablet is Goclever Quantum 1010M running KitKat. Displayed the self-advertising and Internet applications home page was set to cool123.net, no cleaning did not give results. After some time the home has changed for the gotoamazing.com. The tablet popping up advertising programs that after uninstalling popping up again. I managed to uninstall BroService of success - not reappeared, but Linervice installing, after each reboot. So I decided to make ROOT the tablet. I deleted the data in the folder /data/data/com.android.browser and advertising disappeared.
After scanning program Mbam was found one suspect program: /system/app/GoogleProvider.apk as an application MTKMusicProvider - I removed it. Then I removed the file /system/priv-app/XBPK.apk listed as rs_9103_v30 application. There was still a problem with Linervice 4.0 - /data/app/com.google.eVideo1Service-1.apk was still installed after the restart. I began to search the applications in /system/app for false name. As suspected, I found GooglePlayService.apk whose listed name is CrashService.
In the folder /data/data/com.mediatek.Crash Service found entries in the .xml files showing that the application tries to download files from the internet just com.google.ePlay1Service-1.apk and com.google.eVideo1Service-1.apk known as BroService and Linervice.
note: Deleting files must be done with WiFi disabled .
good luck with removal
- Hello dear
Pff old date but it is important to delete hacking apps from /System/Apps/
I have got stupid hacking apps
You need to download Kingo Root
Need important apps:
Link2SD and DU Cleaner and DU Speed Booster , DU Battery Saver and Task Manager ( If you are using Kata or Asian mobile companies... )
1. Kingo Root own click
Wait if it says "Your device is rooted"
Than you download Link2sd and choose System than find dangerous hackjet apps and press long and "uninstall"
I hope you have not problem to uninstall with stupid hacking apps.
- I would like to thank you as Cleaning cache + Force Stop did the trick for me.
I noticed that some really popular websites which has an ads zone managed by Google Ads currently has ads that do some really nasty things.
Those ads do the things in the following order :
1) At first, it change the homepage and new-tab page of your browser and set it to a specific page that includes multiples links like a Custom Google search bar.
2) That page includes many ads box. (Yeah... the scammer who created those website actually makes money out of your visits)
3) Some of those ads box install some adware/minor malwares even just by loading them (through the browser).
4) Those adware/minor malwares will put ads over your browser windows. (lower right corner most of the time.)
5) Clicking on those ads (which looks like Play Store's ads) install even more crap into your browser. The bad thing is that the "X" of those ads is the size of about 6x6 pixels so it's extremely easy to press the ads instead of the closing button. Also, closing the ads doesn't work for long as it will come back 3 sec later.
As bad as it might sound, there's no anti-virus that can protect you from this process. BitDefender, Avast and Malwarebytes doesn't seem to detect anything as it all goes through as some kind of system updates and not as "new apps".
The first time it happened to me, I had to format my Android tablet because things went really too far.
The second time it happened to me, I was a bit more ready. First, I always kept an eye to the apps installed in the device... even make a list. Whenever something new is added without me doing anything, I remove it. In the case of the ads in the corner, it's often called "VideoPlayer" which is actually an old adware that existed since 2008. Originally, it's known as "Ads by VideoPlayer", but it's only "VideoPlayer" for the Android. Then you got to close the browsers (quit the apps) in the "Running Aps", clean their cache and even then Force Stop them (from the "All Apps"). When you will start the default browser, it will request to log into your account as if you just started the device for the first time. Then all trace of the previous temper will be gone.
You will have to repeat the whole process whenever something unusual happens such as the change of your homepage.
- If you have come here with redirect issues, try B. Diddy's simple instructions first. Worked for me. Must be some kind of hook that rides in on the browser cache. But going to Settings>Apps>All, selecting the browser, and selecting Clear Cache/Clear Data then Force Stop worked like a charm. Thanks B. Diddy!
Audrey Elaine Elrod was in rough financial shape as the 2012 holiday season drew near. She’d been out of work for a year, ever since quitting her longtime clerical job at the county public health department in Charlotte, North Carolina. The 45-year-old divorcée and junior-college dropout now lived in Bluefield, West Virginia, a fading town near the Appalachian coalfields where she’d been raised. In addition to collecting $344 in unemployment benefits each week, Elrod made ends meet by hustling: She resold packages of discount toilet paper and peddled small quantities of prescription drugs. She scraped together just enough to rent a 676-square-foot garage apartment that she shared with a roommate, a gangly buffet cook a dozen years her junior.
On the Tuesday after Thanksgiving, Elrod opened a checking account at a First Community Bank branch located just across the state line in the twin town of Bluefield, Virginia. Despite her hand-to-mouth circumstances, Elrod’s new account soon began to receive a series of sizable wire transfers, many of which originated abroad. Over the course of one December week, for example, almost $30,000 arrived from Norway; on January 2, someone in France sent $16,977. Elrod never let this money linger: She always showed up at the bank a few hours after a transfer cleared, to withdraw as much as $9,500 in cash. She would then return on subsequent days to make additional four-figure withdrawals until the account was nearly empty.
At Walmart, Elrod would head to the MoneyCenter counter, where she'd transmit between $1,500 and $1,800 to a man she knew as Sinclair.
As soon as Elrod would exit First Community with a bundle of $50 and $100 bills in her purse, she’d hang a right and walk across the parking lot to Ridgeview Plaza, a vast and featureless shopping mall surrounded by scraggly woods. She would pass by the drive-through tobacco outlet, the Dollar Tree, and Bellacino’s Pizza & Grinders en route to the mall’s centerpiece, a typically gargantuan Walmart. There she’d head straight for the store’s MoneyCenter counter, where she used MoneyGram to transmit usually somewhere between $1,500 and $1,800 to a man she knew as Sinclair.
Elrod would spend the next few hours visiting other Bluefield establishments that offer MoneyGram or Western Union services: the Advance America payday loan store, the Food City supermarket, the austere cash-for-titles joint located literally under Route 460. At each stop she’d wire another chunk of money to Sinclair. Sometimes, if her phone bill was due or her refrigerator was barren, she kept a few dollars for herself. But more often than not, she ended the day no richer than she’d started.
As she waited for the Bluefield Area Transit bus to whisk her back to West Virginia, Elrod would think about her fiancé, a Scottish oil worker she’d met online. She knew they’d soon spend hours gabbing on the phone, as was their daily habit. No matter how tired she got from helping Sinclair obtain his money, the prospect of hearing her fiancé’s adoring voice always managed to lift her heart.
Elrod’s love affair began with the sort of dodgy Facebook message that most people delete on sight. She discovered that message in March 2011, 20 months before opening her First Community account, while cleaning out her junk-strewn “Other” mailbox during a respite at a Charlotte mall. The missive caught her eye because of the sender’s handsome profile photo, which showed a middle-aged man with a ruddy face, strong black eyebrows, and a welcoming gaze. His name was Duke Gregor.
“How beautiful is your picture Audrey,” the message read. “My name is Duke, I am from Aberdeen do you know where? I am a Mechanical Engineer with Transocean. I have a son named Kevin and by the Grace of God I will meet that someone again.”
The typical Facebook user would likely recognize such a note as bait, but Elrod was in a place in her life that made her vulnerable to such flattery. She was in the midst of divorcing her husband of 14 years; his legal woes (including arrests for benefits fraud and making a false bomb report) had strained their marriage. Anxious about her future as an older single woman, Elrod lapped up the kind words about her looks—too few men seemed to appreciate her soft chin, wavy hair, and prominent brown eyes.
She wrote back, thanking the sender for complimenting her beauty and asking how he’d found her. He said he had stumbled across her profile while searching for a college friend who shared her last name; he also noted that his own surname was actually McGregor, not Gregor. After a bit more flirtatious back-and-forth on Facebook, Elrod invited him to continue their conversation on Yahoo Messenger.
Elrod and McGregor were soon chatting online for more than 12 hours a day. McGregor often talked about the agony of losing his wife, Susan, who he said had died in a car accident in Edinburgh in 2003. But he’d refused to let that tragedy destroy his joie de vivre, as evidenced by the many photographs he shared with Elrod: When he wasn’t working on North Sea oil rigs, he enjoyed reading classic novels, playing with his tiger-striped tabby cat, and strumming a heart-shaped guitar.
McGregor was also a tremendous listener who never hesitated to lend Elrod a sympathetic ear. “He wasn’t like the little boys I was used to dealing with—he was the opposite of that, so sincere, so caring,” Elrod says. “It wasn’t always about him, it was about me, about everyday stuff in my life.” Within weeks of their initial Facebook encounter, Elrod was telling McGregor her most intimate secrets; he, in turn, was emailing her lists with titles like “100 Things We’ll Do Together Before We Die.” By the end of April 2011—only a month into their romance—they were discussing marriage.
As part of this blossoming relationship, Elrod grew close to McGregor’s son, Kevin, a 17-year-old boarding school student in Manchester, UK. The boy wrote her bubbly emails about his closest school chum and his plans for Senior Day. He also expressed a fervent desire to visit her in the US and perhaps even live with her full-time—a dream come true for Elrod, who lamented that she’d never had kids of her own.
Kevin scheduled a trip to Charlotte for his summer break, and Elrod sent him several hundred dollars to buy the plane ticket. But McGregor informed her that the sum ended up being too little because she hadn’t accounted for the dollars-to-pounds exchange rate. “A few days after, I could tell there was concern in Duke’s messages, there was a distance there,” Elrod says. “It would take him a couple of minutes to reply. I could tell there was something wrong. And then he told me, ‘I haven’t heard from Kevin.’”
McGregor soon reported that he had located Kevin in a hospital outside Manchester, where the boy was recovering from a horrific car crash. The medical bills were piling up and he was in no position to pay them—he said his bank account had been frozen because he was on an oil rig. He begged Elrod to help “our son.”
Once Elrod obliged by sending money, McGregor began to make more exorbitant demands. He asked for $6,000 to buy a fancy new drill; she balked but eventually agreed to pay $1,200 for a speedboat to deliver the equipment to McGregor’s rig. Kevin, meanwhile, complained that he didn’t have a computer, so he could only use the Internet at a train station café; she gave him the funds for a new PC.
Elrod was puzzled by certain details in McGregor’s appeals for aid—why, for example, did his bank freeze his account while he was at sea? But “any time I questioned anything, he had a comeback for it,” she says. “He could make you feel like the dumbest person in the world. He made you feel like you didn’t trust him, and if you didn’t trust him, you didn’t love him.” If she obeyed McGregor without complaint, by contrast, he rewarded her with tokens of his love—early-morning texts that read “I’m thinking of how beautiful you are,” Yahoo messages festooned with emoji of red roses.
By September 2011, Elrod was sending off three-quarters of her weekly take-home pay. She and her eight cats ate the cheapest food so the McGregors could have as much cash as possible. She sold her jewelry and her washing machine, then quit her $19-an-hour administrative assistant job at the Mecklenburg County Health Department so she could liquidate her retirement account. But McGregor belittled her for not doing enough: He urged her to pawn her car title too.
Around this same time, he also introduced Elrod to a friend of his—a bank manager he’d met a decade earlier while working in the Gulf of Guinea. The man’s name was Sinclair, and he lived in the Nigerian city of Warri, 250 miles southeast of Lagos. McGregor explained that Sinclair needed help completing a few transactions for clients who wanted to either conceal their assets or convert their local currencies to dollars. If Elrod could pick up some wire transfers in Charlotte and forward them to Warri, Sinclair would make sure that Kevin had ample funds to visit the US.
Elrod was skeptical upon hearing mention of Nigeria, a place she vaguely knew as a font of email scams involving bogus princes. But she decided to go ahead with the plan for Kevin’s sake: “I thought of Kevin as my child; it was a mothering instinct. Whatever it takes to take care of Kevin, I’m going to do.”
This past March, John F. Campbell, who commands American forces in Afghanistan, posted an unusual statement on his Facebook page, which normally features bland accounts of his official business. “I am happily married and my wife Ann is very much alive and my children do not need money for any medical procedures,” Campbell wrote. “I will NEVER ask you to send money … I DO NOT use any dating sites, skype, google plus, yahoo messenger, or any other account.”
Campbell felt compelled to issue this disclaimer after the Army discovered more than 700 fake online profiles that purported to be the general: the handiwork of inventive and industrious criminals who specialize in fleecing the lovelorn. These Internet con artists, known as Yahoo Boys in Nigeria, often masquerade as American military officers who are deployed in war zones, a ruse that gives them plenty of unassailable excuses should a victim wish to meet face-to-face. The scammers are also fond of posing as oil workers who spend weeks at a time on deep-sea rigs, another macho cover story that allows them to fade in and out of victims’ lives at will.
Despite a slew of highly publicized warnings like the one made by Campbell, the romance-scam industry is flourishing as people become more accustomed to finding soul mates online. According to the Internet Crime Complaint Center, American victims of online romance scams lost more than $87 million in 2014, compared with just $50 million in 2011. In the UK, a 2012 study by researchers at the University of Leicester and the University of Westminster estimated that 230,000 Britons had already been duped by Internet swindlers whose promises of love inevitably segue into demands for cash.
“Any time I questioned anything, he had a comeback,” Elrod says. “He could make you feel like the dumbest person in the world.”
The victims of these scams often share a particular psychological trait: an exceptional faith in the existence and importance of romantic destiny. Psychologist Monica Whitty, a coauthor of the British study who specializes in romance-scam research, has found that although the people who get fooled by the Yahoo Boys are not necessarily lonelier or more trusting than their peers, they do tend to score highly on tests that measure how much they idealize romantic love. They are thus prone to fall fast and hard for anyone who showers them with exaggerated affection, even if that affection is expressed only via emails and instant messages.
Once a romance scammer has identified a vulnerable target, the trajectory of the ensuing crime is easy to predict. Each con begins with a grooming phase, during which a scammer tries to create an intimate bond with his mark: He will deluge the potential victim with plagiarized love poems and mawkish texts and gently encourage her to reveal dark memories from her past. Once the victim seems emotionally invested in the relationship, the scammer will ask for a small gift—just enough to buy a new laptop or cover a child’s tuition shortfall. If the victim complies, they’re soon hit with what Whitty terms “the Crisis,” a sob story designed to elicit a large and urgent contribution. A scammer who’s impersonating a soldier may say he needs money for an Afghan exit visa; an ersatz oil driller will claim that he’s trapped in a Kafkaesque foreign hospital. As Whitty noted in a 2013 Security Journal paper, victims often believe that using their money to allay the crisis will “lead to a reduction in the amount of time they have to wait until they finally meet [the scammer] face-to-face (which is ultimately the real prize for most of the victims).”
Those who are hoodwinked by the Crisis often keep shelling out money until they have nothing left to give, at which point the scammer will either vanish or gleefully reveal their deceit. “There are cases out there that just break your heart,” says Steven Baker, director of the Federal Trade Commission’s Midwest Region, which has launched an initiative aimed at preventing online romance scams. “It’s not just the money that’s lost; it’s also emotionally devastating for the people involved. There have been suicides because of this.”
The Nigerian scammers' chief concern is not eluding arrest but rather figuring out how to transport their stolen money.
The criminals responsible for causing that devastation are seldom apprehended, since so many are based in West African countries where the authorities are often understaffed or corrupt. On a few recent occasions, scammers have been nabbed while venturing abroad. In August 2014, for example, a Nigerian citizen named Olayinka Ilumsa Sunmola was arrested at London’s Heathrow Airport, nine months after a federal grand jury in Illinois indicted him for scamming at least 30 American women he met on eHarmony, Match.com, and MySpace. (Sunmola, who frequently posed as a US Army major, allegedly convinced one victim to perform sex acts that he secretly recorded and then used in an extortion scheme.) But romance scammers know they’re unlikely to face legal peril as long as they stick close to home. Last year all of the cases pursued by Nigeria’s Economic and Financial Crimes Commission, which investigates public corruption as well as fraud, resulted in just 126 convictions—a negligible number in a nation of 174 million. (For comparison, nearly 7,900 Americans received federal sentences for fraud in 2013, with thousands more convicted at the state level.)
The Yahoo Boys’ chief concern is not eluding arrest but rather figuring out how to transport their stolen money. Even the most naive potential victims now shy away from wiring funds to Nigeria, a country notorious as a hotbed of Internet chicanery. So scammers have constructed elaborate networks of accomplices, colloquially known as money mules, in countries like the US that have good reputations for the rule of law.
In many instances, these accomplices were once victims themselves. “At first it might be people thinking, ‘If I play ball, I can get some of my money back,’” says Ralph Gagliardi, a special agent with the Colorado Bureau of Investigation who has worked on several romance-scam cases. “But then they get turned by the lure of easy money.” A prime example of how victims can transform into conspirators is the case of Karen and Tracy Vasseur, a mother-daughter duo from Brighton, Colorado. In 2009 the freshly divorced Tracy was conned by a Yahoo Boy who claimed to be a soldier in Afghanistan. On realizing she’d been deceived, Tracy volunteered to help her scammer by pretending to be an “agent” who specialized in relaying funds to American military personnel. She and her mother eventually pled guilty to participating in the theft of $1.1 million from 374 victims in 41 countries; they were sentenced to a combined 31 years in prison.
The Vasseurs were not ideal partners for the scammers, however, because they demanded hefty fees for their services—as much as 10 percent of each incoming wire transfer. The Yahoo Boys prefer victims-turned-accomplices who are motivated not by greed but by romantic delusion.
Soon after she started working for Sinclair, Audrey Elrod encountered signs that she might be part of a sprawling scam. On October 16, 2011, for example, she was instructed to visit a Walmart to collect $600 that had been sent by a woman named Sheran Cohen, an elder-care consultant in Los Angeles.
Ten days later Cohen contacted Elrod on Facebook. “If this is a scam ... its not a threat its a promise i intend to follow it thru,” Cohen wrote. “And if anything happens to mr b from his health, i will sue in kens behalf.” The “Mr. B” that Cohen was referring to was Mike Benson, a dashing oil worker to whom she’d sent around $14,000 over the preceding months. While allegedly traveling from London to Los Angeles for a long-promised visit, Mike called to say he was being detained in Charlotte because of a custody dispute involving his teenage son, Ken. The $600 was supposed to be a down payment for his lawyer; Cohen had been directed to send the money to the lawyer’s assistant, a woman named Audrey Elrod.
“If your begining [sic] scammed so am I,” replied Elrod, who denied knowing anything about a Mike or Ken Benson. “I only picked up and sent cos I was told that Sinclair would help my stepson … I am told control numbers by a third party and forward to someone that is all I know.”
Cohen filed a police report in Charlotte a few weeks later, accusing Elrod of fraud. But by that time, Elrod was on her way out of the city. Jobless and broke after having sent an estimated $17,000 to Duke and Kevin McGregor, she had been evicted from her home and lost her car to repossession. She felt she had no choice but to give away her beloved cats and move back in with her mother, who lived in the mountains near Grundy, Virginia, an impoverished area known for its hulking coke ovens.
Decent cell phone reception was a rarity at her mother’s rural home, so Elrod often hitched to the closest McDonald’s to chat with McGregor. Despite all the misfortune she had endured since meeting her Scottish beau, she still felt they were meant to be together. She made her enduring faith the subject of a poem, entitled “Destiny,” that she wrote for her fiancé:
I believe that our love is blessed and ordained by God. It is a union of two spirits destined for everlasting happiness. Thus, you have become the knight and shining armor of my life. You offer me the joy of living, the peace of mind that comes from sharing and caring, and the shoulder to lean on.
Elrod’s mother, Shirley Horn, was disturbed by the depth of her daughter’s infatuation with McGregor, whom she recognized as a con artist. “I couldn’t understand how she could not see this,” she says. “But she lived and breathed him, calling his son her son and all of that stuff.” Horn’s patience finally wore out in June 2012, when Elrod tried to use her 17-year-old niece’s USAA savings account to funnel money to Sinclair. After a heated argument, Elrod packed up her belongings and vowed never to return.
The newly homeless Elrod got a friend to drive her to Bluefield, West Virginia, a coal-boom relic filled with deserted industrial plants and derelict homes in danger of being reclaimed by the forest. There she rented a room in a menacing neighborhood known as Drug Alley, where one of her six housemates slept with a machete in his hand.
Despite this turmoil, Elrod never took a break from running errands for Sinclair. At first she hired people in Bluefield to drive her back and forth to Grundy, where she’d opened an account at Grundy National Bank; Sinclair had asked her to do so because he wanted her to receive larger transfers than either Western Union or MoneyGram allows. When that bank flagged her activity as suspicious and closed her account, she moved her business to a National Bank of Blacksburg branch in Bluefield, Virginia, just a few miles from her home. (The Bluefield on the West Virginia side of the border, the site of a Norfolk Southern rail yard, is the bigger and more decrepit of the twin towns.) The transfers that came into the new account ballooned in size—$19,130 arrived on November 19, for example, followed by $7,526 on the 20th. On Sinclair’s orders, Elrod never withdrew more than $9,900 at a time.
Wary of becoming a robbery target should anyone in Drug Alley get wise to her banking habits, Elrod moved to a garage apartment in a less ominous part of Bluefield—the place that she split with the buffet cook, whose name was Richard Ridalls. She paid for the upgrade through a combination of unemployment benefits and street entrepreneurship: Folks on College Avenue quickly learned that Audrey was a reliable source for cheap toilet paper and illicit pain pills, which she obtained from her own prescriptions and from desperate neighbors in need of quick cash. (She insists that she drew the line at selling “K4s,” slang for Dilaudid.) She occasionally supplemented her income by pocketing bills from the bundles that she was transmitting to Nigeria.
Aside from rent and food, Elrod had two big expenses. One was the $200 she sent to Kevin every Tuesday morning, right after her weekly unemployment check cleared. The other was her phone bill: She now spent hours a day talking to McGregor, reveling in the sweet nothings he uttered in what sounded to her like a Scottish burr. (He refused to Skype, claiming that his computer was too old to use the service.) Her roommate, Ridalls, thought she was a fool—what kind of person, he wondered aloud, is always on the phone with some Scottish guy she’s never met but has zero contact with her own family?
Oblivious to Ridalls’ scorn, Elrod was busy devising ways to process vaster sums of money for Sinclair. In addition to becoming a customer at First Community Bank, where she received transfers of more than $63,000 in the course of a month, she persuaded several acquaintances to give her access to their accounts. One such person was Hassan Alrumaih, a 26-year-old Saudi Arabian who was a friend of Ridalls and a student at Bluefield State College. “Hey I need to ask for your help,” Elrod texted him in February 2013. “Sinclair wants to deposit a large amount and this would be a one time only and it’s complete legal I swear.” Elrod said the transaction would somehow allow her “son” Kevin to come to the States. When Alrumaih inquired about the source of the money, Elrod said it was from oil companies that were trying to reduce their tax liabilities. He agreed to allow more than $130,000 to flow through his account at a BB&T branch.
Elrod swore that she'd always stayed within the letter of the law—all she did was forward money that strangers had sent on their own volition.
On the morning of April 9, 2013, Elrod made her weekly visit to the Ridgeview Plaza Walmart to wire money to Kevin. A store security officer interrupted her transaction and escorted her to a back room, where she was made to wait until two men arrived: C. L. McCroskey, a local police detective, and William Puckett, a Russell County sheriff’s investigator. They wished to interview Elrod as part of a Treasury Department investigation; they had been assigned to handle the matter because federal agents are few and far between in Southwest Virginia.
Elrod spoke candidly, albeit anxiously, about her relationships with McGregor and Sinclair. She made rambling statements about Kevin’s stay in the English hospital, her initial hesitation to send money to Nigeria, and her reluctance to keep more than a trifling amount for herself. “Say I got $2,000 and I’m sending out $1,900, and after the fee and stuff say there is like $30 left,” she told the cops. “I’d keep the $30.”
Elrod also swore that she’d always stayed within the letter of the law—all she did was forward money that strangers had sent on their own volition. She took McCroskey and Puckett to her apartment and gave them a folder containing receipts from the transactions she’d conducted for Sinclair—proof, she thought, that she was blameless, for what kind of crook would keep such assiduous records? The investigators left without placing her under arrest.
Two days later was Kevin’s supposed birthday, and Elrod sent him a loving email that gave no inkling of her legal predicament: “Happy Birthday my darling son. It’s so hard to believe you are celebrating your third birthday in a row without your father and I, but even with the distance between us, our family is strong and together.”
Two days after that, Elrod’s spirits were raised by a gushy email from McGregor, who referred to her by the pet name Silly Girl: “Honey my Love. With you every minute spent is so amazing. Showing so much affection, clinging at each other. Having each moment as the best times of our lives with your love I could not ask for anything.”
Those tender words were still fresh in Elrod’s mind when, on April 15, she was arrested after a doctor’s visit. She was taken to the federal courthouse in Abingdon, Virginia, where she was charged with the crime of structuring—that is, making multiple bank withdrawals of less than $10,000 for the sole purpose of avoiding government scrutiny. (The Bank Secrecy Act requires domestic financial institutions to report all transactions larger than $10,000.) Thanks to the Patriot Act of 2001, which stiffened the penalties for structuring with the aim of disrupting terrorist financing networks, Elrod was potentially facing decades in prison.
The months-long Treasury Department investigation into Elrod’s labyrinthine dealings, which had apparently been launched after a tip from First Community, had identified dozens of victims around the globe. Many of these women told familiar stories: A mother of three in New Mexico had been conned out of $8,000 by a Scottish-Irish oil worker named Duke Arthur, who said he needed money for his son’s tuition. A Pennsylvania woman had sent Elrod $900 so a guy she met online, Duke Gregor, could finish his job on an oil rig. A Texas divorcée had relayed more than $15,000 to Nigeria as a favor for James Smith, a resident of Scotland whom she’d met on ChristianMingle.com. One Norwegian woman had wired a total of $116,169 to Elrod.
But the gravity of her situation seemed lost on Elrod. Within 24 hours of posting bond, she went right back to wiring money to Nigeria. In the eight days after her arrest, she sent nearly $7,000 to associates of Sinclair.
When Elrod’s probation officer learned of the continued money transfers to Nigeria in early May, Elrod’s bond looked certain to be revoked. Her public defender, Brian Beck, counseled her to explain her actions to the court, on the off-chance that she might elicit sympathy and avoid being tossed in jail until trial. McGregor, on the other hand, encouraged her to flee, claiming that all he cared about was her personal safety.
There was never any doubt whose advice Elrod would heed.
The Money Elrod used to abscond was provided by Sinclair: The banker wired a couple thousand dollars to Elrod’s ex-husband, who FedExed a cashier’s check to Bluefield. Elrod then caught a ride to the Charlotte area, where she rented a room in the town of Matthews.
McGregor vowed that he was finally going to “come home” to visit her there, and that he would bring along the substantial nest egg he’d built after two years of constant oil-rig work. He spoke of the joy he would feel upon walking down the stairs at the Charlotte airport and seeing Elrod in the flesh for the first time.
But as the weeks went by and McGregor failed to finalize his travel plans, Elrod turned desperate. “Just come here and I’ll turn myself in,” she told him. “I don’t care what happens to me then.”
Love for Sale
According to police who investigate online romantic cons, the scams follow a surprisingly consistent arc. Here’s how swindles typically unfold.
1. The Bait
The scammers set up a fake profile on a social-media or dating site. The man they invent is a ruggedly handsome, middle-aged widower who yearns to love again. He usually works in a macho job in a far-flung location—some-thing that provides good excuses to avoid face-to-face meetings.
2. The Grooming Phase
Once a woman gets drawn in, the scammer showers her with gestures of affection through email or instant messaging: declarations of love, plagiarized poems, compliments on her beauty. The scammer also asks personal questions about the victim’s life—the key to establishing an intimate connection.
3. The Gift
Satisfied that the mark is infatuated, the scammer concocts a situation that can be solved with a bit of money: He claims to need a few hundred dollars for a visa or money to travel. If the victim agrees to provide the cash, the scammer knows she’s on the hook.
4. The Crisis
Suddenly something goes horribly wrong. The scammer pleads for several thousand dollars to pay for a major surgery or to escape a legal predicament. Afraid she’ll never get to meet her beloved unless she complies, the victim wires the requested funds.
5. The Bleed
More aggressive demands for money ensue, until the victim either loses everything or gets wise to the con. At that point, the scammer either vanishes or tries to convince the victim to launder money on his behalf.
The last thing the Yahoo Boys behind the Duke McGregor character wanted was for Elrod to surrender, for she was still a valuable asset to their enterprise. She had convinced an acquaintance in Charlotte to use his Wells Fargo account as a landing spot for wire transfers, so victims’ money kept flowing to Sinclair—the account received over $94,000, most of which went to Nigeria via Western Union and MoneyGram.
As the summer of 2013 wore on, Elrod began to feel ill—there was a stabbing pain in her abdomen, but she feared arrest if she sought treatment. In the midst of her suffering, she received an email from McGregor that gave her pause. “Thank you for being the most loving and trusting person on Earth,” one line read. Something about his use of the word trusting struck her as odd, as if he were mocking her rather than offering earnest praise. She spent days trying to compose a suitable response, an email in which she would declare that she was aware of McGregor’s manipulative streak.
But Elrod never got the chance to send it. On August 29, US Marshals arrested her at her room in Matthews. She begged the agents to find someone to take the cat she had adopted while on the lam, to no avail. After appearing before a judge, Elrod used one of her jailhouse phone calls to contact McGregor. She explained that she was being sent back to Virginia and asked him to hire her a good lawyer.
The line went dead. And that was the end of Duke McGregor.
There are many theories as to why Elrod became so deeply committed to such an obvious sham. Randy Ramseyer, the assistant US attorney who prosecuted the case, characterizes her as a “pathetic individual” who was addicted to the positive feedback the Yahoo Boys provided. “It’s clear to me that Ms. Elrod enjoyed the attention, enjoyed being necessary,” he says. “They needed her, she knew that, and that’s something that she valued.”
Beck, Elrod’s defense attorney, contends that his client’s mindset was warped by her yen to become a mother and that she sincerely believed that doing Sinclair’s bidding would somehow result in Kevin being sent to live with her. “In most instances, when criminals find out how big the thing is that they’re involved in, they want a bigger piece of the pie,” Beck says. “She didn’t want that, she didn’t want a bigger piece. What she wanted was a son.”
In Elrod’s own account of her ruin, however, what’s most striking is her lingering fondness for McGregor. Though he was the linchpin of a scheme that has caused her immense sorrow, Elrod treasures the moments of happiness he brought her—moments that she now understands were part of a manufactured illusion but that nonetheless occupy a special place in her heart. “I still think about his phone number. I still close my eyes and think about his emails,” she told me in early April, at the West Virginia prison where she’s serving a 52-month sentence after pleading guilty to structuring and conspiracy to commit wire fraud. “I can think of the messages he sent me, the little things he said to me, and it makes me smile. He was the only one I ever let get that close to me.”
Elrod dabbed her eyes with a coarse brown paper towel as she spoke those words in her honeyed Appalachian drawl. Her graying forelocks and careworn face hinted at the hardships she’s endured in prison: The abdominal pain she felt while on the run turned out to be a symptom of acute cholecystitis, which led to the removal of her gallbladder and a near-fatal case of sepsis. Her skin now has a sallow hue that makes her streaks of purple eyeshadow seem all the more vivid.
Though she acknowledges that she deserves some punishment, Elrod insists that the government “didn’t have to do me as harsh as they did.” She feels particularly burdened by the restitution she’s been ordered to pay—$413,790.91 to 28 of the scam victims who’ve been identified. Given that she’s currently earning 12 cents an hour at her prison job, the debt seems insurmountable.
The criminals who flipped Elrod from victim to accomplice, by contrast, have vanished. Ramseyer says he is unaware of any efforts to catch the scammers in Warri, and Nigeria’s Economic and Financial Crimes Commission, which did not respond to repeated inquiries, has posted no news of any arrests. (The media-savvy EFCC is usually effusive on the rare occasions that it busts romance scammers; the organization crowed quite a bit in January, for example, when it managed to recover $2,000 that a Texas woman had lost.) The phone numbers used by McGregor and Sinclair are no longer receiving calls.
Toward the end of our conversation, I asked Elrod what she would say to McGregor—or, rather, the Yahoo Boy who played McGregor—if she were given the opportunity. She chewed nervously on her right index finger as she confessed that she has many, many questions for the man. But the first one she mentioned was not how he faked his Scottish accent or what became of her life savings or how many other women he was stringing along while they were “engaged.” The question at the forefront of her mind was something far more basic: “Was it always a scam?”
Contributing editor BRENDAN I. KOERNER (@brendankoerner) wrote about skateboarder Rodney Mullen in issue 23.02.