VentureBeat presents: AI Unleashed - An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More

New research from Lookout Threat Lab has found a long-running phishing campaign that is actively targeting families of United States military personnel, as well as individuals interested in pursuing a romantic relationship with a soldier. The scammers impersonate military support organizations and personnel to steal sensitive personal and financial information for monetary gain.

Based on Lookout’s analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address, and phone number. With this information, the actor could easily steal the victim’s identity, empty their bank account, and impersonate the individual online.

A number of infrastructure indicators and open-sourced intelligence findings lead the Lookout Threat Lab to believe that the threat actor operates out of Nigeria. The websites were primarily hosted by Nigerian providers that are offshore or ignore the Digital Millennium Copyright Act (DMCA) — in both cases, these sites were fairly protected from takedowns. Researchers were able to further confirm the operator’s location from a phone number one of the web developers accidentally left on the draft version of the site. The country code of the number is from Nigeria.

Likely for economic reasons, the threat actors chose cheap, shared hosting services for the scam websites. This can present an obstacle to research, as hundreds or even thousands of domains may share the same virtual resources and resolve to the same IP address. To uncover additional sites from this campaign, Lookout researchers were able to reference the contact numbers on these sites, which happened to be reused.


AI Unleashed

An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.


Learn More

When the Lookout Threat Lab dove into the registration information for various sites, they found that the actors practiced fairly poor operational security, often reusing phone numbers, email addresses, and other registrant information, which made the campaign easier to track. In addition to the shared resources and contact information on the actual websites, this information enabled Lookout researchers to identify 50 military scam sites tied to this campaign. They were also able to link this group to numerous other scams advertising fake delivery services, cryptocurrency trading, banks, and even online pet sales.

As compromised accounts are one of the most difficult threats to combat, the Lookout Threat Lab recommends all organizations deploy a dedicated phishing solution that works regardless whether the employee is working inside corporate perimeters or not.

See the full report by Lookout Threat Lab.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.