If you’ve ever been hit with a sketchy text warning you of an overdue toll road payment or mysterious Postal Service fees, you’ve likely been targeted by one of the largest cyber scams sweeping the globe.
Now, Google is suing an international cybercrime group it believes is responsible for the ubiquitous text-based phishing scheme, which may have raked in as much as $1 billion over the last three years. In the lawsuit, filed Wednesday, Google alleges that 25 people are part of a sprawling scam operation known as “Lighthouse” designed to swipe the logins and passwords of victims caught in its web.
The Lighthouse scam hinges on tricking people with bogus texts, prompting them to click a link and share their credentials on fake websites. The websites display legitimate-looking logos of brands like Google, Gmail, or YouTube, to convince potential victims that their fake webpages are real, hence the company’s involvement. Google says that it found 107 website templates misusing Google branding on their sign-in screens in order to fool people into thinking those sites are safe and actually connected to Google’s products.
According to the lawsuit, almost 200 fake web templates connected to the Lighthouse network imitate U.S. websites like those belonging to New York’s city government and the USPS. Beyond Google’s own logos, the fake sites display official-looking logos of payment companies and social media platforms. Google and other security researchers believe that the text phishing scam network is based in China, well beyond the reach of U.S. law enforcement.
“Bad actors built ‘Lighthouse’ as a phishing-as-a-service kit to generate and deploy massive ‘smishing’ (SMS phishing) attacks,” Google General Counsel Halimah DeLaine Prado wrote on the company’s blog. “These attacks exploit established brands like E-Z Pass to steal people’s financial information.”
Google notes that this family of cybercrime is causing “immense financial harm” around the globe, and that the company intends to disrupt the scheme’s core infrastructure with the lawsuit. In it, Google alleges that the unnamed individuals connected to the Lighthouse scam have run afoul of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Lanham Act, which protects trademarks, and the Computer Fraud and Abuse Act.
Because the operation is likely based in China, Google’s suit likely won’t be dragging anyone to court overnight, but the suit could still disrupt the group’s web hosting and other aspects of its infrastructure. Because Google doesn’t know the names of the 25 individuals connected to the scam, the suit includes their Telegram handles when they are known.
To fight cyber scams on U.S. soil, Google also announced Wednesday that it will back a handful of bipartisan bills designed to disrupt fraud, counter scams and block robocalls that originate overseas.
“Legal action can address a single operation; robust public policy can address the broader threat of scams,” DeLaine Prado said. “We encourage Congress to enact these crucial bills and help bring a decisive end to the financial harm and damage wrought by foreign cybercriminals.”