Google Wants to Snuff Out ‘Lighthouse’ Phishing Kit

Google on Wednesday said it is taking legal action against a massive known phishing-as-a-service operation called “Lighthouse.” 

The phishing kit has powered global scams that swindle victims out of millions of dollars. In fact, Google said Lighthouse has hit over 1 million victims across 120 countries and helped cybercriminals steal between 12.7 million and 115 million credit cards in the U.S. 

The scam involves cybercriminals sending a text that asks victims to click a link and share information, like their email credentials or banking information. These have impersonated popular brands like USPS, E-Z Pass – and Google. 

“They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” according to Halimah DeLaine Prado, General Counsel with Google, in a Google post. “We found at least 107 website templates featuring Google's branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.”

What is the Lighthouse phishing kit?

The phishing kit is operated by Smishing Triad, which is a Chinese group that has targeted organizations across various sectors, including postal, telecom, transportation, finance, and retail. The group was first publicized by Resecurity in August 2023 on the heels of a large-scale smishing campaign that was targeting U.S. victims.

In an analysis earlier this year, Silent Push researchers said that a developer behind the phishing kit used by Smishing Triad released a new Telegram channel detailing his new Lighthouse kit in March, which boasted “300+ front desk staff worldwide” in support. 

“Details suggest that sophisticated bank phishing efforts are being set up, with the initial phishing kit targeting major Western financial organizations and banks in Australia, as well as the broader Asia-Pacific (APAC) region,” according to researchers in the April analysis. 

What legal action is Google taking against Lighthouse? 

Google said its claims are "designed to dismantle the core infrastructure" of the phishing kit's operation under the following acts:

• The Racketeer Influenced and Corrupt Organizations (RICO) Act: enabling the prosecution of organizations that are involved with criminal enterprises or racketeering activity (such as wire fraud)
• The Lanham Act: provides civil liability for trademark infringement or false advertising
• The Computer Fraud and Abuse Act: bars intentionally accessing computers without authorization 

Tech companies have previously taken legal actions against cybercriminals as a way to shut down malicious activity misusing their services. Microsoft earlier this year pursued legal actions against several individuals linked to Storm-2139, who it said developed tools designed to bypass safety guardrails for generative AI services, including Microsoft’s. Microsoft’s initial filing led to a court issuing a temporary restraining order and preliminary injunction, which allowed the company to seize a website “instrumental to the criminal operation, effectively disrupting the group’s ability to operationalize their services.”

“This… underscores the impact of Microsoft’s legal actions and demonstrates how these measures can effectively disrupt a cybercriminal network by seizing infrastructure and create a powerful deterrent impact among its members,” according to Steven Masada, assistant general counsel with Microsoft’s Digital Crimes Unit, in a statement earlier this year.