Google recently filed a civil lawsuit against 25 individuals allegedly using Lighthouse, a notorious phishing-as-a-service platform. Google believes these people are part of a relentless Chinese smishing group that has attempted to con people in over 120 countries worldwide.
What is the Lighthouse?
The Lighthouse is a Chinese-speaking smishing group that attempts to steal data, including personal information and bank details, from its targets. It’s one of many such groups to emerge in recent years. They follow typical smishing practices, sending a plethora of scam messages via SMS, Google’s RCS service, or Apple’s iMessage. They usually impersonate real organizations, such as banks and delivery services, and encourage victims to enter their personal information on fake websites.
This is made even easier for hackers due to a scamming software aptly named Lighthouse. It’s a subscription phishing-as-a-service tool that allows malicious actors with limited technical knowledge to launch successful smishing attacks. The service includes ready-made templates and fake websites, and comes in weekly, monthly, seasonal, and annual subscriptions.
Google’s allegations
Google’s lawsuit claims that the Lighthouse operation “preys on the public trust in Google” by abusing its technology systems and using its logos on fake sites. It says the group may have stolen between “12.7 million and 115 million” American banking card details.
The lawsuit also outlines the organizational hierarchy. Google believes it consists of admins who organize the groups’ operations, data brokers that provide lists of potential targets, spammers who provide the software, and individuals who access and steal from victims’ bank accounts using stolen account details.
The suit also goes into more detail about the platform itself. Google claims that Lighthouse features over 600 phishing templates that impersonate more than 400 entities or organizations, including 200 located in the US. 116 phishing templates use Google’s or related branding, Gmail, YouTube, or Google Play products.
Potential success
The jury’s out on how effective this lawsuit will be, considering most of the individuals it targets are believed to be in China and are difficult to locate. The lawsuit does not name specific individuals, although it does feature their Telegram handles. Even so, Google believes the lawsuit may help other companies dismantle the global smishing operation.
Speaking to Wired, Google’s DeLaine Prado says:
“Filing a case in the US actually allows us to have a deterrent impact outside of the US borders. Rulings in the company’s favor would also allow it to ‘go to other platforms that are hosting vectors or aspects’ of the Lighthouse network and ask them to take them down.”
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.