Google<\/strong> is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google.<\/p>\n In a lawsuit<\/a> filed in the Southern District of New York on November 12, Google sued to unmask and disrupt 25 \u201cJohn Doe\u201d defendants allegedly linked to the sale of Lighthouse<\/strong>, a sophisticated phishing kit that makes it simple for even novices to steal payment card data from mobile users. Google said Lighthouse has harmed more than a million victims across 120 countries.<\/p>\n A component of the Chinese phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.<\/p>\n<\/div>\n Lighthouse is one of several prolific phishing-as-a-service operations known as the \u201cSmishing Triad<\/strong>,\u201d and collectively they are responsible for sending millions of text messages that spoof the U.S. Postal Service<\/a> to supposedly collect some outstanding delivery fee, or that pretend to be a local toll road operator warning of a delinquent toll fee. More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions<\/a> and brokerage firms<\/a>.<\/p>\n Regardless of the text message lure used or brand used, the basic scam remains the same: After the visitor enters their payment information, the phishing site will automatically attempt to enroll the card as a mobile wallet from Apple or Google. The phishing site then tells the visitor that their bank is going to verify the transaction by sending a one-time code that needs to be entered into the payment page before the transaction can be completed.<\/p>\n If the recipient provides that one-time code, the scammers can link the victim\u2019s card data to a mobile wallet<\/a> on a device that they control. Researchers say the fraudsters usually load several stolen wallets onto each mobile device, and wait 7-10 days after that enrollment before selling the phones or using them for fraud.<\/p>\n Google called the scale of the Lighthouse phishing attacks \u201cstaggering.\u201d A May 2025 report<\/a> from Silent Push<\/strong> found the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period.<\/p>\n Google\u2019s lawsuit alleges the purveyors of Lighthouse violated the company\u2019s trademarks by including Google\u2019s logos on countless phishing websites. The complaint says Lighthouse offers over 600 templates for phishing websites of more than 400 entities, and that Google\u2019s logos were featured on at least a quarter of those templates.<\/p>\n Google is also pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act<\/a>, saying the Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes targeting the general public.<\/p>\n According to Google, those threat actor teams include a \u201cdeveloper group<\/strong>\u201d that supplies the phishing software and templates; a \u201cdata broker group<\/strong>\u201d that provides a list of targets; a \u201cspammer group<\/strong>\u201d that provides the tools to send fraudulent text messages in volume; a \u201ctheft group<\/strong>,\u201d in charge of monetizing the phished information; and an \u201cadministrative group<\/strong>,\u201d which runs their Telegram support channels and discussion groups designed to facilitate collaboration and recruit new members.<\/p>\n \u201cWhile different members of the Enterprise may play different roles in the Schemes, they all collaborate to execute phishing attacks that rely on the Lighthouse software,\u201d Google\u2019s complaint alleges. \u201cNone of the Enterprise\u2019s Schemes can generate revenue without collaboration and cooperation among the members of the Enterprise. All of the threat actor groups are connected to one another through historical and current business ties, including through their use of Lighthouse and the online community supporting its use, which exists on both YouTube and Telegram channels.\u201d<\/p>\n Silent Push\u2019s May report observed that the Smishing Triad boasts it has \u201c300+ front desk staff worldwide\u201d involved in Lighthouse, staff that is mainly used to support various aspects of the group\u2019s fraud and cash-out schemes.<\/p>\n An image shared by an SMS phishing group shows a panel of mobile phones responsible for mass-sending phishing messages. These panels require a live operator because the one-time codes being shared by phishing victims must be used quickly as they generally expire within a few minutes.<\/p>\n<\/div>\n <\/span><\/p>\n Google alleges that in addition to blasting out text messages spoofing known brands, Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts (and paid for with stolen credit cards). These phony merchants collect payment card information at checkout, and then prompt the customer to expect and share a one-time code sent from their financial institution.<\/p>\n Once again, that one-time code is being sent by the bank because the fake e-commerce site has just attempted to enroll the victim\u2019s payment card data in a mobile wallet. By the time a victim understands they will likely never receive the item they just purchased from the fake e-commerce shop, the scammers have already run through hundreds of dollars in fraudulent charges, often at high-end electronics stores or jewelers.<\/p>\n Ford Merrill<\/strong>\u00a0works in security research at\u00a0SecAlliance<\/a>, a\u00a0CSIS Security Group<\/a> company, and he\u2019s been tracking Chinese SMS phishing groups for several years. Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.<\/p>\n \u201cYou find this shop by searching for a particular product online or whatever, and you think you\u2019re getting a good deal,\u201d Merrill said. \u201cBut of course you never receive the product, and they will phish that one-time code at checkout.\u201d<\/p>\n Merrill said some of the phishing templates include payment buttons for services like PayPal<\/strong>, and that victims who choose to pay through PayPal can also see their PayPal accounts hijacked.<\/p>\n A fake e-commerce site from the Smishing Triad spoofing PayPal on a mobile device.<\/p>\n<\/div>\n \u201cThe main advantage of the fake e-commerce site is that it doesn\u2019t require them to send out message lures,\u201d Merrill said, noting that the fake vendor sites have more staying power than traditional phishing sites because it takes far longer for them to be flagged for fraud.<\/p>\n Merrill said Google\u2019s legal action may temporarily disrupt the Lighthouse operators, and could make it easier for U.S. federal authorities to bring criminal charges against the group. But he said the Chinese mobile phishing market is so lucrative right now that it\u2019s difficult to imagine a popular phishing service voluntarily turning out the lights.<\/p>\n Merrill said Google\u2019s lawsuit also can help lay the groundwork for future disruptive actions against Lighthouse and other phishing-as-a-service entities that are operating almost entirely on Chinese networks. According to Silent Push, a majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: Tencent<\/strong> (AS132203) and Alibaba<\/strong> (AS45102).<\/p>\n \u201cOnce Google has a default judgment against the Lighthouse guys in court, theoretically they could use that to go to Alibaba and Tencent and say, \u2018These guys have been found guilty, here are their domains and IP addresses, we want you to shut these down or we\u2019ll include you in the case.’\u201d<\/p>\n If Google can bring that kind of legal pressure consistently over time, Merrill said, they might succeed in increasing costs for the phishers and more frequently disrupting their operations.<\/p>\n \u201cIf you take all of these Chinese phishing kit developers, I have to believe it\u2019s tens of thousands of Chinese-speaking people involved,\u201d he said. \u201cThe Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don\u2019t believe for a minute they\u2019re going to close up shop and leave forever.\u201d<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/01\/lighthouse-tollroads.png?resize=615%2C852&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/02\/phonesashtray.png?resize=649%2C862&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/paypalsmish.png?resize=723%2C512&ssl=1\")
<\/p>\n