Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
If you’ve ever received an unsolicited text message falsely alerting you to an unpaid charge or a failed delivery, it may have come from the so-called Phishing-as-a-Service network that Google is now trying to take down.
Google has filed a lawsuit against several unnamed defendants, saying they form a corporation called Lighthouse. The company disputes in a new complaint that Lighthouse makes a “phishing for dummies” kit for cybercriminals who cannot carry out a large-scale phishing campaign otherwise.
The group would allegedly charge a monthly licensing fee to provide SMS or e-commerce software with hundreds of templates for websites that closely resembled financial institutions or government-affiliated organizations that could trick consumers into entering sensitive details. In just 20 days, Google claims Lighthouse was used to spin 200,000 fraudulent websites to lure more than a million potential victims. It is estimated that between 12.7 million and 115 million credit cards in the United States have been compromised due to fraud.
The page allegedly tracks keystrokes made by users so that information is compromised even if the user has second thoughts before sending
While many people are aware of the type of spam that Lighthouse-enabled services allegedly help spread, the lawsuit details what happens after someone actually clicks on those links. The scammer can allegedly log into a Lighthouse account, using a login page displaying a Google logo that appears as a login option, and use the dashboard to send a text that falsely alerts the potential victim that USPS is requiring a fee to complete their delivery. In this alleged scheme, the text links to a fake USPS page asking the user to enter their personal and payment details. The page tracks keystrokes made by users, according to the complaint, so information is compromised even if the user has second thoughts before sending. These details are populated neatly on the Lighthouse dashboard. The group allegedly runs similar scams impersonating toll collection sites such as EZ Pass, financial institutions, and retail sites, some of which include Google logos on their login pages.
Google is trying to dissolve the group by suing the defendants for allegedly violating the Racketeer Influenced and Corrupt Organizations Act (RICO Act), anti-fraud and trademark infringement laws, as it claims Lighthouse threatened its brand by using its name and logo on fraudulent websites. She still does not know who the unnamed defendants make up Lighthouse, or exactly how many are involved, although she believes they are based in China. Google counts 25 defendants in Doe’s case, but says the numbers are “intended to be representative.”
Google still doesn’t know who the unnamed defendants make up Lighthouse, or exactly how many participants
But the goal of the lawsuit, in part, is to get the court to declare Lighthouse’s scheme illegal so that the group would also be removed by other technology providers and so law enforcement might get more information about Lighthouse through discovery, says Google’s general counsel, Halima Dellen Prado. Edge In an interview. While other services offer tools similar to Lighthouse, DeLaine Prado says the network caught the attention of Google due to the size of its products and rise in popularity this year, which it tracked in public Telegram and since-deactivated YouTube channels for recruitment and technical support.
Given how easily Lighthouse spins these scam sites, Google says dismantling them “will require persistence.” Meanwhile, she also supports three federal bills that she believes will help address these types of schemes in the first place: the GUARD Act, the Alien Robocall Elimination Act, and the SCAM Act. Collectively, Google says these bills will help fund the ability of state and local law enforcement to pursue scams targeting retirees, create a task force to prevent illegal foreign robocalls from reaching American consumers, and hold accountable transnational groups that traffic people in fraud schemes. Even with these types of policies in place, DeLaine Prado says there will still be a role for companies like Google in fighting online fraud. “Businesses also have to do what they can where they can,” she says. “I think it’s valuable for us to use our resources to help combat cybercrime that affects our users. We can do that at scale, and so I think you’ll see us continue to do that when unfortunate cases like this arise where we think we can shine a light on the behavior.”