Google Sues Alleged Operators of “Lighthouse” – A Major Chinese SMS Phishing network
MOUNTAIN VIEW, CA – April 22, 2024 – Google has filed a lawsuit in U.S. District Court for the Northern District of California against individuals believed to be operating “Lighthouse,” a complex Chinese phishing-as-a-service operation responsible for widespread SMS phishing (smishing) attacks. The lawsuit aims to disrupt the network’s infrastructure and curtail its ability to deploy fraudulent websites designed to steal user credentials and financial information.
Lighthouse provides a complete kit enabling criminals to create convincing fake websites, often mimicking legitimate e-commerce platforms, and distribute them via text message.Victims are lured to these sites with promises of deals, then prompted to enter personal information, including one-time codes used for two-factor authentication. The operation has increasingly focused on creating fake e-commerce sites advertised on platforms like Google and Meta,bypassing traditional phishing lures.
“You find this shop by searching for a particular product online or whatever, and you think you’re getting a good deal,” explained security researcher Chad Merrill of SecAlliance, a CSIS Security Group company, who has tracked Chinese SMS phishing groups for several years. ”But of course you never receive the product, and they will phish that one-time code at checkout.”
The phishing kits offered by Lighthouse also include templates featuring payment buttons for services like PayPal, exposing victims who choose that payment method to potential account hijacking. A recent example showcased by KrebsOnSecurity depicts a mobile-optimized fake e-commerce site spoofing PayPal.
Merrill notes the fake e-commerce approach offers phishers greater longevity, as these sites take longer to be flagged as fraudulent compared to traditional phishing pages. While Google’s legal action may temporarily disrupt Lighthouse, he believes the lucrative nature of the Chinese mobile phishing market makes a complete shutdown unlikely.
“the Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don’t believe for a minute they’re going to close up shop and leave forever,” Merrill stated.
The lawsuit could pave the way for further action against Lighthouse and similar entities. Google may leverage the court’s judgment to pressure Chinese hosting companies Tencent (AS132203) and Alibaba (AS45102) – where a majority of the phishing sites created with these kits are hosted – to shut down malicious domains and IP addresses.
this case highlights the growing threat of sophisticated, commercially available phishing tools and the challenges of combating cybercrime originating from overseas. Google’s legal strategy represents a proactive attempt to increase the costs and disrupt the operations of these criminal networks.
