Lookout Researchers Take Down Phishing Scams Targeting U.S. Military Families

TL; DR:

Here at Lookout, our Threat Intelligence Services teams work with a massive data set that enables them to proactively hunt for threats and conduct forensic investigations. While our findings are used to protect Lookout customers, we also pride ourselves in contributing to the cybersecurity community ensuring that everyone’s security and privacy are safeguarded.

Recently, researchers at the Lookout Threat Lab revisited a lead that a former colleague posted on Twitter last summer. In doing so, we dove headfirst into a long-running phishing campaign that, as of the publishing of this blog, is actively targeting families of United States military personnel as well as individuals interested in pursuing a romantic relationship with a soldier. The scammers impersonate military support organizations and personnel to steal sensitive personal and financial information for monetary gain.

Based on our analysis, it’s clear that the threat actor is looking to steal sensitive data from victims such as their photo identification, bank account information, name, address and phone number. With this information, the actor could easily steal the victim’s identity, empty their bank account and impersonate the individual online.

Identifying the scam: 419 fraud

This scam most closely fits the definition of what’s known as 419 fraud or advance fee fraud. The name comes from the fact that these scams fall under section 419 of the Nigerian Criminal Code. These schemes usually entail a scammer facilitating a service in exchange for a fee.

Through the course of our investigation, we decided to not just dissect these attacks, but also work with hosting providers to shut these scam sites down. 

These websites all characterize common tactics used by actors behind phishing campaigns. In an attempt to bolster their credibility, The pages use visuals and language that one might expect to see on a military affiliated website. In addition, they weave advertisements of Department of Defense services alongside malicious content.

Example showing a military scam site using images from Raider Spirit WordPress Theme.

Who’s behind these scams and how do they operate?

A number of infrastructure indicators and open-sourced intelligence findings lead us to believe that the threat actor operates out of Nigeria. The websites were primarily hosted by Nigerian providers that are offshore or ignore the Digital Millennium Copyright Act (DMCA) — in both cases these sites were fairly protected from takedowns. We were able to further confirm the operator’s location from a phone number one of the web developers accidentally left on the draft version of the site. The country code of the number is from Nigeria.

Likely for economic reasons, the threat actors chose cheap, shared hosting services for the scam websites. This can present an obstacle to research, as hundreds or even thousands of domains may share the same virtual resources and resolve to the same IP address. To uncover additional sites from this campaign, we were able to reference the contact numbers on these sites, which happened to be reused.

When we dove into the registration information for various sites, we found that the actors practiced fairly poor operational security, often reusing phone numbers, email addresses and other registrant information which made the campaign easier to track. In addition to the shared resources and contact information on the actual websites, this information enabled us to identify 50 military scam sites tied to this campaign. We were also able to link this group to numerous other scams advertising fake delivery services, cryptocurrency trading, banks and even online pet sales.

Example showing a military scam site using images from Raider Spirit WordPress Theme.

Social engineering: the tactics behind the scam

When we observe a widespread campaign like this one, it’s important to identify the actor’s goals and the tactics they use. In this case, the angle of attack is social engineering. As mentioned earlier, there seem to be two key groups that could be targeted with this campaign: family members of the U.S. military and individuals who want to pursue a romantic relationship with a soldier. 

The end goal is monetary gain as most of the “services” advertised on these sites have a hefty price tag attached. As is the case with other 419 scams, the promised service is never delivered and the scammer disappears with the victim’s money before they realize they’ve been duped.  

Here is an example of the interaction from someone who fell for the scam.


The fake services

To fully understand the scam, let’s first look at the services offered across these websites and screenshots of these pages:

Communication Permit

This page offers calling cards to help family members get in touch with deployed troops. The cost of services is suspiciously high: 

  • Military Small Card – $680
  • Military Medium Card – $780
  • Military Large Card – $890
  • Military Large Global Card – $1150
  • UNLIMITED = (Send us a message)

Applying for Leave on behalf of a soldier

The scammer offers a number of options for troops or their family to request for emergency leave. The purported reasons for such leave are health (leave to receive proper medical care) and “romantic vacation”. The length of the leave determines the price of the service:

  • 4 weeks: $3,500
  • 6 weeks: $5,000
  • 8 weeks: $10,999
  • 10 weeks: $20,123
  • 14 weeks: $30,600
  • 18 weeks: $40,976
  • 22 weeks: $50,143
  • 26 weeks: $60,342

Care Packages

Family members are offered opportunities to send troops care packages for extremely inflated prices:

  • Mini care package - $800
  • Airbourne care package - $1200
  • Premium Care package - $1700

The Compensation Fund

There’s one particularly grim fake service that directly targets individuals who have lost a family member in the line of duty. This is also where it’s most clear that the scammer intends to steal the victim’s identity based on the requested information:

  • Name of Soldier
  • Country Deployed
  • MOS Code
  • Your Full name
  • Your ID (Attach a clear photo of it to the mail)
  • Email Address
  • Relationship with the soldier
  • Bank Name
  • Account Number

Deployment declination, marriage, housing options and resignation

These fake services claimed to be only for family members or loved ones to apply on behalf of the soldier. None of them have a price attached to their services, but rather ask the individual to reach out to the provided contact details.

Looking at all of this data together, it’s clearly intended to enable the attacker to impersonate the individual and steal money out of their bank account or fraudulently register for other financial services such as lines of credit. The fake compensation fund embodies most of what effective phishing campaigns are made up of — a hook that pulls on the emotions of the target, seemingly legitimate or innocuous asks, then a nefarious ask buried within everything else.

It takes the whole community: taking down phishing campaigns

Most phishing campaigns have the end goal of swiping personal or corporate user credentials, tricking the user into giving up their identity or delivering malware to the target device. They tend to proactively reach out to their target audience via email, text message or social media and are usually short lived. In line with most other 419 Scams, this actor is engaging in a mix of proactive and passive outreach through email, social media and dating apps with the end goal of financial gain and identity theft.

This campaign and the process of working through its takedown illustrate the good that comes from collaboration in the cybersecurity community. Building off of the initial research of a handful of individuals and groups, we were able to pin down more information about this scam and take down additional scam sites. 

Lookout contacted each of the registrars responsible for the domains used in this campaign and provided evidence of fraud or misuse by the domain registrant. At the time of writing this blog, the registrars are in the process of disabling all domains associated with the campaign.

We’d like to thank the following people for their ongoing research and raising awareness of this scam and others:

How to protect yourself and your organization

Securing your organization against phishing

The Lookout research team’s top priority is to ensure that our customers are protected from the latest threats. As a result of the analysis done on this phishing campaign, we implemented coverage on Lookout Phishing and Content Protection against these attacks.

As compromised accounts are one of the most difficult threats to combat, we recommend all organizations deploy a dedicated phishing solution that works regardless whether the employee is working inside corporate perimeters or not.

Protecting yourself from scams

Phishing attacks are also one of the most common ways your personal device and information is put in danger. We recommend deploying dedicated mobile security on your device to safeguard against mobile threats and identity theft. If you don’t know where to start, you should check out protection.lookout.com to learn more about how Lookout can help. We also have a blog about the mobile phishing kill chain you can check out. Lastly, if you believe you may have been targeted by this campaign please take a look at the advice from the U.S. Army Criminal Investigation Division regarding these scams.

Appendix - domains used in this phishing campaign

  • usmilitaryportal[.]com
  • uswelfareteam[.]com
  • usamilitaryofficialportal[.]com
  • usamilitarysupport[.]com
  • usmilitarysupportdesk[.]com
  • theusamilitarysupport[.]com
  • theusmilitarysupport[.]com
  • milhq[.]online
  • usmdept[.]com
  • theusadepartmentsupport[.]com
  • pentagonsupport[.]com
  • usmilitaryconsult[.]com
  • unitedstatearmyleaveboard[.]com
  • usmilitarycenter[.]com
  • mildefencedepartment[.]com
  • thedefencedepartment[.]com
  • usmilitaryhr[.]com
  • leavedept[.]com
  • usleavedepartment[.]com
  • usarmyemergencyleaveboardsupport[.]com
  • unitedstatemildepartment[.]com
  • milleave[.]us
  • theusmiliitarydept[.]com
  • airforcehr[.]com
  • na-to[.]com
  • usmilitarytroops[.]com
  • usmilitaryboard[.]com
  • usamilitarywarfare[.]com
  • usamilitarytroops[.]com
  • mofdefencedep[.]com
  • militaryleaveoffice[.]com
  • usmilitary[.]us
  • usarmytroops[.]us
  • usmilitarytps[.]com
  • defencedep[.]com
  • usmilitarytroops[.]us
  • militaryhelpforum[.]com
  • milsvcs[.]com
  • theusdepartmentsupport[.]com
  • unitedstatesemergencyleave[.]com
  • us-militaryhq[.]com
  • leavedepartment[.]us
  • milresourcehq[.]us
  • milhq[.]us
  • usmilitaryorg[.]com
  • usamilitarytroops[.]us
  • usarmytroop[.]com
  • us-military[.]army
  • us-mil[.]us
  • usminfo[.]com

Lookout delivers endpoint-to-cloud Security