Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries.
The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to steal people’s financial information by prompting them to click on a link using lures related to fake toll fees or package deliveries. While the scam in itself is fairly simple, it’s the industrial scale of the operation that has allowed it to illegally make more than a billion dollars over the past three years.
“They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” Halimah DeLaine Prado, General Counsel at Google, said. “We found at least 107 website templates featuring Google’s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.”
The company said it’s taking legal action to dismantle the underlying infrastructure under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act.
Lighthouse, along with other PhaaS platforms like Darcula and Lucid, is part of an interconnected cybercrime ecosystem operating out of China that is known to send thousands of smishing messages via Apple iMessage and Google Messages’ RCS capabilities to users in the U.S. and beyond in hopes of stealing sensitive data. These kits have been put to use by a smishing syndicate tracked as Smishing Triad.
In a report published in September, Netcraft revealed that Lighthouse and Lucid have been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. Phishing templates associated with Lighthouse are licensed from anywhere between $88 for a week to $1,588 for a yearly subscription.
“While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” Swiss cybersecurity company PRODAFT said in a report published in April.
It’s estimated that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the U.S. alone between July 2023 and October 2024. In recent years, cybercrime groups from China have also evolved to develop new tools like Ghost Tap to add stolen card details to digital wallets on iPhones and Android phones.
As recently as last month, Palo Alto Networks Unit 42 said the threat actors behind Smishing Triad have used more than 194,000 malicious domains since January 1, 2024, mimicking a wide range of services, including banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, and electronic tolls, among others.
“We believe all three PhaaS services (Lighthouse, Darcula, and Lucid) are utilized by Smishing Triad for a variety of technical and non-technical reasons,” Kasey Best, director of threat intelligence at Silent Push, told The Hacker News, adding the company has observed users of Lighthouse shifting back and forth between both Darcula and Lucid on an infrastructure level.
“Worthy of note is that there is an entire ecosystem at play here where Chinese smishing actors discuss their fraudulent activities openly in telegram channels and share knowledge across their various lines of effort. The shared Chinese terminology used amongst those active in the channels only further reinforces the connections between these PhaaS providers and Smishing Triad.”
Update
Google said the Lighthouse phishing service has been disrupted after the company filed a lawsuit against the cybercrime group operating it. A screenshot shared by Google with The Hacker News shows a Chinese-language Telegram message allegedly posted by the threat actors, stating their “cloud server has been blocked due to malicious complaints.” Several Telegram channels previously identified as managed by Lighthouse have been deleted or taken down.
“This shut down of Lighthouse’s operations is a win for everyone,” DeLaine Prado said. “We will continue to hold malicious scammers accountable and protect consumers.”
Lighthouse is one of the many such phishing kits that have emerged out of the Chinese cybercrime ecosystem. These services have been used by Smishing Triad to orchestrate social engineering impersonating a wide range of legitimate entities in hopes of redirecting users to malicious links that are designed to capture sensitive information.
While it’s too soon to say if the recent effort could force the attackers to adjust their modus operandi, a Google spokesperson told the publication that “we always expect bad actors to change their tactics, that’s why we continue to stay vigilant, adjust our tactics and take action like we did.”
Silent Push’s Best also confirmed that all Telegram channels associated with the PhaaS service have been either deleted or taken down due to Telegram terms of service (ToS) violations. Some of the channels are listed below –
- t[.]me/laowangLiveGroup
- t[.]me/LighthouseShopBot
- t[.]me/WdyLiveBot
- t[.]me/laowang_notice
- t[.]me/laowang_merchants
- t[.]me/s8888s
- t[.]me/wangduoyu0
“We are tracking many websites still active and using Lighthouse kit code, as well as phishing kits used by other Smishing Triad threat actors, but there could be backend changes with Lighthouse or other disruptions in this criminal ecosystem which are just starting to be seen,” Best added. “Either way, this is a positive sign for Google’s lawsuit, and we look forward to increased pressure against smishing threat actors based mostly in China.”
