Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers behind a massive phishing-as-a-service (PhaaS) platform called Lighthouse that has captivated more than 1 million users in 120 countries.
PhaaS kits are used to run large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS, using decoys related to fake tolls and package deliveries to entice people to click on links and steal people’s financial information. Although the scam itself is very simple, the scale of the industry has allowed more than $1 billion to be illegally made over the past three years.
“They are exploiting the reputation of Google and other brands by illegally displaying our trademarks and services on deceptive websites,” said Halima Delaine Prado, Google’s general counsel. “We discovered at least 107 website templates featuring Google branding on the sign-in screen that were specifically designed to trick people into believing the site was legitimate.”
The company said it is taking legal action to dismantle its underlying infrastructure under the Fraudster Act, the Lanham Act, and the Computer Fraud and Abuse Act.
Lighthouse, along with other PhaaS platforms such as Darcula and Lucid, is part of an interconnected cybercrime ecosystem based in China that is known to send thousands of smishing messages to users inside and outside the United States via the RCS feature of Apple iMessage and Google Messages with the intent of stealing sensitive data. These kits are used by the Smishing Syndicate, tracked as the Smishing Triad.
In a report published in September, Netcraft revealed that Lighthouse and Lucid were linked to more than 17,500 phishing domains targeting 316 brands in 74 countries. Phishing template licenses associated with Lighthouse range from $88 for a week to $1,588 for an annual subscription.
“Although Lighthouse operates independently from the XinXin Group, its collaboration with Lucid in terms of infrastructure and targeting patterns highlights broader trends of collaboration and innovation within the PhaaS ecosystem,” Swiss cybersecurity firm PRODAFT said in a report released in April.
It is estimated that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the United States alone between July 2023 and October 2024. In recent years, Chinese cybercrime groups have also evolved, developing new tools like Ghost Tap, which adds stolen card details to digital wallets on iPhone and Android phones.
Just last month, Palo Alto Networks Unit 42 announced that since January 1, 2024, the attackers behind the Smishing Triad have used over 194,000 malicious domains to imitate a wide range of services, including banks, cryptocurrency exchanges, postal and delivery services, law enforcement, state-owned enterprises, and electronic toll systems.
