Google Seeks to Combat "Lighthouse" SMS Phishing Network

Google has filed a lawsuit against several unnamed defendants forming an entity known as "Lighthouse." Google describes this network as a "Phishing-as-a-Service" operation, accusing it of providing "phishing kits" specifically designed for cybercriminals who may not be able to carry out large-scale phishing campaigns on their own. Phishing-as-a-Service is known as a criminal business model that provides the infrastructure and tools necessary to execute phishing attacks for individuals or groups, thereby lowering the technical barriers to entry into the world of cybercrime.

The Nature of the "Lighthouse" Network and the Scale of the Attacks

The Lighthouse group is accused of charging monthly licensing fees to provide SMS or e-commerce software, which includes hundreds of templates for fraudulent websites. These websites closely mimic financial institutions or government-affiliated organizations, enabling them to trick consumers into divulging sensitive details. Google alleged that within just 20 days, Lighthouse was used to create 200,000 fraudulent websites, targeting over a million potential victims. Estimates suggest that between 12.7 million and 115 million credit cards in the United States were compromised due to this fraud. These statistics are a serious indicator of the growing phenomenon of phishing, with reports indicating that approximately 75% of global organizations faced phishing attacks in 2023.

Details of "Lighthouse" Phishing Mechanisms

These fraudulent pages track user keystrokes, meaning information is compromised even if the user retracts sending it. The lawsuit details what happens after someone clicks on the fraudulent links: the fraudster can log into a Lighthouse account, using a login page displaying a Google logo to appear as a normal login option, and use the dashboard to send a fake text message alerting the potential victim that the United States Postal Service (USPS) requires a fee to complete their delivery. In this alleged scheme, the text message would lead to a fake USPS page asking the user to enter their personal details and payment information. These details are systematically collected in the Lighthouse dashboard. The group also claims to operate similar scams mimicking toll collection websites like E-Z Pass, financial institutions, and retail sites, some of which include Google logos on their login pages.

Google's Legal Actions Against "Lighthouse"

Google seeks to dismantle this group by prosecuting the defendants for alleged violations of the Racketeer Influenced and Corrupt Organizations Act (RICO Act), anti-fraud laws, and trademark infringement. Google claims that Lighthouse threatened its brand by using its name and logo on fraudulent websites. As of now, Google does not know the identity of the unnamed defendants who constitute Lighthouse, or their exact number, although it believes they are based in China. The RICO Act provides the federal government with a powerful tool to prosecute criminal organizations operating as "enterprises," while anti-fraud laws criminalize acts intended to deceive individuals or entities for illicit gain, and trademark laws enable rights holders to protect their brands from unauthorized use that could mislead consumers.

Objectives of the Lawsuit and Google's Future Role

The objective of the lawsuit, in part, is for the court to declare the Lighthouse scheme illegal, so that it will also be removed by other technology providers, and for law enforcement agencies to obtain more information about Lighthouse through investigations. While other services offer tools similar to those provided by Lighthouse, Halimah Delauney Pradhan, Google’s general counsel, says that this network caught Google’s attention due to the growing volume and popularity of its products this year, which the company tracked through public Telegram channels and YouTube channels that were later disabled for recruitment and technical support purposes.

Federal Bills and Google's Role in Combating Cybercrime

Due to the ease with which Lighthouse creates these fraudulent websites, Google says that dismantling it "will require persistence." In the meantime, the company also supports three federal bills it believes will help address these types of schemes in the first place: the GUARD Act, the Eliminating Foreign Robocalls Act, and the Stopping Child Abusers and Miscreants (SCAM) Act. Collectively, Google says these initiatives will help fund the ability of state and local law enforcement agencies to pursue scams targeting seniors, establish a task force to prevent illegal foreign robocalls from reaching U.S. consumers, and hold transnational groups accountable for trafficking individuals into fraud schemes. Even with such policies in place, Delauney Pradhan says there will still be a role for companies like Google in combating cybercrimes that affect our users. She adds: "I think it is beneficial for us to deploy our resources to help combat cybercrimes that affect our users. We can do that on a large scale, so I think you will see us continue to do so when unfortunate situations like these arise, where we believe we can shine a light on the behavior." The GUARD Act (Guardianship Users’ Right to Digital Assets Act) aims to enhance online anti-fraud capabilities, while the Eliminating Foreign Robocalls Act focuses on blocking unwanted robocalls from abroad. The SCAM Act (Stopping Child Abusers and Miscreants Act) specifically seeks to counter scams conducted via SMS messages, providing broader consumer protection against increasing threats.