Threat intelligence researchers at Lookout have identified a long-running phishing campaign that is actively targeting families of U.S. military personnel as well as individuals interested in pursuing a romantic relationship with a soldier. 

The threat actors are impersonate military support organizations and personnel to steal sensitive personal and financial information, such as photo identification, bank account information, name, address and phone number. 

The 419 fraud, or advance fee fraud, usually entail a scammer facilitating a service in exchange for a fee. Threat researchers worked with hosting providers to shut the scam sites down. 

 A number of infrastructure indicators and open-sourced intelligence findings lead us to believe that the threat actor operates out of Nigeria. The websites were primarily hosted by Nigerian providers that are offshore or ignore the Digital Millennium Copyright Act (DMCA) — in both cases these sites were fairly protected from takedowns. Researchers were able to further confirm the operator’s location from a phone number one of the web developers accidentally left on the draft version of the site. 

In addition, researchers identified 50 military scam sites tied to this campaign and were also able to link this group to numerous other scams advertising fake delivery services, cryptocurrency trading, banks and even online pet sales. 

For more information, please visit