Google has taken legal action to dismantle a phishing-as-a-service (PhaaS) network likely operated from China as SMS phishing (smishing) attacks surge.
On November 12, the US tech giant filed a civil lawsuit in the Southern District of New York against 25 unnamed individuals described as “foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information.”
This group of people are accused of running ‘Lighthouse,’ a PhaaS kit used by cyber threat actors to generate and deploy massive smishing attacks.
In a statement accompanying the lawsuit, Halimah DeLaine Prado, general counsel at Google, said the kit was linked to at least 107 website templates featuring Google’s branding on sign-in screens. These fraudulent websites are specifically designed to trick people into believing the sites are legitimate.
Lighthouse and the ‘Smishing Triad’
Lighthouse has been used to deploy smishing attacks, especially by a loosely linked collective sometimes called the ‘Smishing Triad,’ targeting major Western financial organizations and banks in Australia, as well as the broader Asia-Pacific (APAC) region.
According to an April 2025 Silent Push report, the Smishing Triad collective has been operating since 2023, but the latest version of the Lighthouse kit was unveiled on Telegram on March 18, 2025.
The targets of Smishing Triad attacks span across several industries, including postal, logistics, telecommunications, transportation, finance, retail and public sectors.
In the filing, Lighthouse is described as a “phishing for dummies” kit for cybercriminals who could not otherwise execute a large-scale phishing campaign.
The kit allegedly offers over 600 templates for fraudulent phishing websites, “each designed to resemble the legitimate website of one of more than 400 entities or institutions,” the complaint alleged.
Lighthouse users can filter and search for templates by geographic region, country, official website and update time. At least 116 templates feature a Google logo (YouTube, Gmail, Google or Google Play) on the sign-in screen, the tech giant said.
The kit was reportedly used to launch 32,094 distinct US Postal Service (USPS) phishing websites – with an average of 50,000 page visits – from July 2023 through October 2024.
Google’s DeLaine Prado also claimed that Lighthouse has targeted over one million people in over 121 countries.
“The scam is simple: criminals send a text message, prompting recipients to click a link and share information such as email credentials, banking information and more. They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” DeLaine Prado explained.
In the filing, Google also said that Lighthouse operates as a sophisticated hub, where specialized teams, ranging from data harvesters to SMS spammers and stolen-data brokers, collaborate through dedicated forums to deploy, refine and monetize large-scale phishing attacks.
Google has determined that shutting down the Lighthouse operation will require persistent, long-term efforts because of its highly adaptive and decentralized nature, where the group can quickly pivot infrastructure and launch new phishing campaigns with minimal resources.
Google Backs Three US Bills to Strengthen Scam Crackdowns
On top of taking legal action, which it said can address a single operation, Google also advocated broader public policy to address the broader threat of phishing and smishing scams.
The tech giant announced it is endorsing three bipartisan bills in the US Congress:
- Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which Google said “would empower state and local law enforcement by enabling them to utilize federal grant funding to investigate financial fraud and scams specifically targeting retirees”
- Foreign Robocall Elimination Act, which “would establish a taskforce focused on how to best block foreign-originated illegal robocalls before they ever reach American consumers”
- Scam Compound Accountability and Mobilization (SCAM) Act, which “would develop a national strategy to counter scam compounds, enhance sanctions and support survivors of human trafficking within these compounds”
The tech giant also announced the launch of new scam prevention features, including AI-powered flagging systems for scam messages like fake toll fees or package deliveries as well as the expansion of account recovery options with Recovery Contacts – the option to ask a friend or family member to recover your account.
