Google Sues Cybercrime Group Over E-ZPass, USPS Text Phishing Scams

Google (GOOGL) has filed a lawsuit against a sophisticated cybercriminal organization operating out of China, alleging its involvement in a massive SMS phishing, or “smishing,” campaign that has impacted over a million individuals globally.

The lawsuit, filed Wednesday, targets what cybersecurity researchers have termed the “Smishing Triad,” a group Google alleges is behind the development and deployment of the “Lighthouse” phishing-as-a-service (PaaS) kit. This kit enables the creation and launch of widespread attacks leveraging fraudulent text messages designed to steal sensitive user data.

“This organization was exploiting the trust that consumers place in recognizable brands like E-ZPass, the U.S. Postal Service, and even Google itself,” stated Google general counsel Halimah DeLaine Prado. “The ‘Lighthouse’ software facilitates the creation of fake websites designed to harvest user information on a massive scale.”

Google’s legal action invokes the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act (trademark infringement), and the Computer Fraud and Abuse (CFAA) Act. The company is seeking a court order to dismantle the Smishing Triad and shut down the “Lighthouse” platform, preventing further damage to consumers and brand reputations.

The fraudulent text messages typically contain malicious links redirecting victims to fake websites meticulously crafted to mimic legitimate platforms. These sites are designed to steal a wide range of personal and financial information, including social security numbers, banking credentials, credit card details, and login usernames and passwords.

The messages are often disguised as urgent notifications, such as fake fraud alerts, package delivery updates, or notifications of unpaid government fees, designed to instill a sense of urgency and compel immediate action.

Google estimates the crime group has compromised between 12.7 million and 115 million credit cards in the United States alone, highlighting the scale and scope of their illicit operations. The lawsuit serves as a deterrent designed to halt the operation and prevent others from engaging in similar malicious attacks in the future.

Google’s investigation revealed over 100 website templates generated by “Lighthouse” using Google’s branding on sign-in screens. The sophistication of these sites directly mislead victims to enter their personal details under the impression that the sites are legitimate.

Internal and third-party investigations uncovered evidence that approximately 2,500 individuals associated with the syndicate were communicating on a public Telegram channel. This channel served as a hub for recruiting new members, sharing technical expertise, and testing and maintaining the “Lighthouse” software, facilitating the ongoing development and improvement of the platform. The level of activity demonstrates a complex organizational structure.

According to DeLaine Prado, the organization also included specialized subgroups. A “data broker” group acquired and maintained lists of potential victims. A dedicated “spammer” group was responsible for disseminating SMS messages. A third group, the “theft” group, was tasked with coordinating attacks and exploiting compromised credentials acquired through the phishing operation.

Google emphasizes that it is the first company to pursue legal action against SMS phishing scams extensively. In addition to the lawsuit, Google stated its support for bipartisan bills aimed at strengthening protections against fraud and cyberattacks. These legislative initiatives are crucial for creating a broader legal framework to combat cybercrime.

The proposed legislation includes the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, the Foreign Robocall Elimination Act, which aims to curb foreign-originating illegal robocalls, and the Scam Compound Accountability and Mobilization Act. The latter targets the operators of scam compounds and emphasizes providing support to survivors of human trafficking often associated with these criminal hubs.

The lawsuit is an important part of Google’s overall strategy to raise awareness about online fraud and implement stronger data protection and cybersecurity measures. In addition, the company recently released safety features which are meant to protect user data, including Key Verifier and AI-powered spam detection in Google Messages.