Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

New research from Lookout Threat Lab has found a long-running phishing campaign that is actively targeting families of United States military personnel, as well as individuals interested in pursuing a romantic relationship with a soldier. The scammers impersonate military support organizations and personnel to steal sensitive personal and financial information for monetary gain.

Based on Lookout’s analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address, and phone number. With this information, the actor could easily steal the victim’s identity, empty their bank account, and impersonate the individual online.

A number of infrastructure indicators and open-sourced intelligence findings lead the Lookout Threat Lab to believe that the threat actor operates out of Nigeria. The websites were primarily hosted by Nigerian providers that are offshore or ignore the Digital Millennium Copyright Act (DMCA) — in both cases, these sites were fairly protected from takedowns. Researchers were able to further confirm the operator’s location from a phone number one of the web developers accidentally left on the draft version of the site. The country code of the number is from Nigeria.

Likely for economic reasons, the threat actors chose cheap, shared hosting services for the scam websites. This can present an obstacle to research, as hundreds or even thousands of domains may share the same virtual resources and resolve to the same IP address. To uncover additional sites from this campaign, Lookout researchers were able to reference the contact numbers on these sites, which happened to be reused.

When the Lookout Threat Lab dove into the registration information for various sites, they found that the actors practiced fairly poor operational security, often reusing phone numbers, email addresses, and other registrant information, which made the campaign easier to track. In addition to the shared resources and contact information on the actual websites, this information enabled Lookout researchers to identify 50 military scam sites tied to this campaign. They were also able to link this group to numerous other scams advertising fake delivery services, cryptocurrency trading, banks, and even online pet sales.

As compromised accounts are one of the most difficult threats to combat, the Lookout Threat Lab recommends all organizations deploy a dedicated phishing solution that works regardless whether the employee is working inside corporate perimeters or not.

See the full report by Lookout Threat Lab.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member