If you’ve ever received a spammy text falsely alerting you to an unpaid toll or failed delivery, it might have come from a so-called Phishing-as-a-Service network that Google is now trying to take down.
Google filed suit against several unnamed defendants it says make up an enterprise called Lighthouse. The company argues in a new complaint that Lighthouse makes a “‘phishing for dummies’ kit for cybercriminals who could not otherwise execute a large-scale phishing campaign.”
The group would allegedly charge a monthly licensing fee to provide SMS or e-commerce software with hundreds of templates for websites closely resembling financial institutions or government-affiliated organizations that could trick consumers into entering sensitive details. In just 20 days, Google alleges, Lighthouse was used to spin up 200,000 fraudulent websites to attract over a million potential victims. It estimates that somewhere between 12.7 million and 115 million credit cards in the US were compromised by the scam.
The page allegedly tracks users’ keystrokes so the information is compromised even if the user has second thoughts before submitting
While many people are familiar with the kind of spammy texts Lighthouse-enabled services allegedly help blast, the lawsuit details what happens after someone actually clicks on those links. A scammer could allegedly log into a Lighthouse account, using a login page that displays a Google logo that appears like a sign-in option, and use the dashboard to send out a text falsely alerting a potential victim that USPS requires a fee to complete their delivery. In this alleged scheme, the text would link to a spoofed USPS page asking a user to enter their personal and payment details. The page tracks users’ keystrokes, according to the complaint, so the information is compromised even if the user has second thoughts before submitting. Those details populate neatly on the Lighthouse dashboard. The group allegedly runs similar scams spoofing toll collection sites like E-Z Pass, financial institutions, and retail sites, some of which include Google logos on their sign-in pages.
Google is trying to disband the group by suing the defendants for allegedly violating the Racketeer Influenced and Corrupt Organizations (RICO Act), and laws against fraud and trademark infringement, since it claims that Lighthouse threatened its brand by using its name and logo on fraudulent websites. It still doesn’t know who the unnamed defendants that make up Lighthouse are, or exactly how many are involved, though it believes they’re based in China. Google numbers 25 Doe defendants, but says the numbers “are meant to be representative.”
Google still doesn’t know who the unnamed defendants that make up Lighthouse are, or exactly how many are involved
But the goal of the lawsuit, in part, is to get the court to declare Lighthouse’s scheme illegal so that the group is also removed by other technology providers, and so law enforcement might gain further information about Lighthouse through discovery, Google’s General Counsel Halimah DeLaine Prado tells The Verge in an interview. While other services offer similar tools to Lighthouse, DeLaine Prado says the network caught Google’s attention because of the scale and spike in popularity of its products this year, which it tracked in public Telegram and since-disrupted YouTube channels for recruitment and tech support.
Because of how easily Lighthouse can spin up these scam sites, Google says dismantling it “will require persistence.” In the meantime, it’s also endorsing three federal bills it believes will help address these kinds of schemes in the first place: the GUARD Act, the Foreign Robocall Elimination Act, and the SCAM Act. Collectively, Google says these bills would help fund state and local law enforcement’s ability to go after scams that target retirees, create a taskforce to prevent foreign illegal robocalls from reaching US consumers, and hold the transnational groups that traffic people into scamming schemes responsible. Even with these kinds of policies in place, DeLaine Prado says there will continue to be a role for companies like Google in the fight against online scams. “It’s also incumbent on companies to do what they can where they can,” she says. “I think it is a useful thing for us to take our resources to help fight against cyber crime that impacts our users. We can do that at scale, and so I think you’ll see us continue to do it when unfortunate cases like this arise where we think we can shine a light on the behavior.”
