Google is taking legal action against the cybercriminals behind the phishing-as-a-service kit "Lighthouse." According to the search giant, Lighthouse has been used globally to run SMS phishing campaigns (smishing), harming over one million people in more than 120 countries.
"That text message you got about a "stuck package" from USPS or an "unpaid road toll"? It’s not just spam. It’s the calling card of a sophisticated, global scam that has swindled victims out of millions of dollars," Google said in a blog post announcing the litigation.
Lighthouse was sold as a service to bad actors who stole somewhere between 12.7 million and 115 million credit cards in the US alone, representing a five-fold increase in such attacks since 2020. Among popular names, cybercriminals impersonated E-ZPass or USPS (US Postal Service) to steal financial information from unsuspecting users.
They targeted their victims by sending text messages that prompted recipients to click a link and share valuable information, such as banking and email credentials. Google noted that bad actors "exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites."
The search giant found more than 100 templates featuring its branding on sign-in screens, designed to make people believe the sites are legitimate.
Google said it wants to shut down the enterprise and "dismantle the core infrastructure" to protect users and other brands. It"s bringing claims under Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act.
Apart from that, Google is also eyeing policy-level changes in the US to fight against scam threats. It"s endorsing three bipartisan bills, including the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, Foreign Robocall Elimination Act, and Scam Compound Accountability and Mobilization (SCAM) Act.
The Foreign Robocall Elimination Act would establish a task force against foreign illegal robocalls. Meanwhile, the SCAM Act is meant to counter scam compounds and support survivors of human trafficking within the compounds.
Cybercrimes and financial scams are on the rise, and bad actors have started crafting even more sophisticated phishing attacks. Google recently launched some new scam protection features for Android users and rolled out Recovery Contacts, which people can use to recover their accounts.