Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries.
The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to steal people’s financial information by prompting them to click on a link using lures related to fake toll fees or package deliveries. While the scam in itself is fairly simple, it’s the industrial scale of the operation that has allowed it to illegally make more than a billion dollars over the past three years.
“They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” Halimah DeLaine Prado, General Counsel at Google, said. “We found at least 107 website templates featuring Google’s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.”
The company said it’s taking legal action to dismantle the underlying infrastructure under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act.
Lighthouse, along with other PhaaS platforms like Darcula and Lucid, is part of an interconnected cybercrime ecosystem operating out of China that is known to send thousands of smishing messages via Apple iMessage and Google Messages’ RCS capabilities to users in the U.S. and beyond in hopes of stealing sensitive data. These kits have been put to use by a smishing syndicate tracked as Smishing Triad.
In a report published in September, Netcraft revealed that Lighthouse and Lucid have been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. Phishing templates associated with Lighthouse are licensed from anywhere between $88 for a week to $1,588 for a yearly subscription.
“While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” Swiss cybersecurity company PRODAFT said in a report published in April.
It’s estimated that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the U.S. alone between July 2023 and October 2024. In recent years, cybercrime groups from China have also evolved to develop new tools like Ghost Tap to add stolen card details to digital wallets on iPhones and Android phones.
As recently as last month, Palo Alto Networks Unit 42 said the threat actors behind Smishing Triad have used more than 194,000 malicious domains since January 1, 2024, mimicking a wide range of services, including banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, and electronic tolls, among others.
