Google is suing to stop phishing attacks that target millions globally, including campaigns that fake toll notices, offer bogus e-commerce deals, and impersonate financial institutions.
In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit card numbers, or banking information, often by impersonating well-known brands, government agencies, or even people the victim knows.”
These branded “Lighthouse” kits offer two versions of software, depending on whether bad actors want to launch SMS and e-commerce scams. “Members may subscribe to weekly, monthly, seasonal, annual, or permanent licenses,” Google alleged. Kits include “hundreds of templates for fake websites, domain set-up tools for those fake websites, and other features designed to dupe victims into believing they are entering sensitive information on a legitimate website.”
Google’s filing said the scams often begin with a text claiming that a toll fee is overdue or a small fee must be paid to redeliver a package. Other times they appear as ads—sometimes even Google ads, until Google detected and suspended accounts—luring victims by mimicking popular brands. Anyone who clicks will be redirected to a website to input sensitive information; the sites often claim to accept payments from trusted wallets like Google Pay.
From there, a vast criminal network operating through YouTube and Telegram channels works to gather the information, with each scammer playing a specific role in a wide-reaching scheme that Google noted has tricked more than a million people in 121 countries so far. Draining wallets and sometimes even bank accounts, the Lighthouse schemes have resulted in losses of “over a billion dollars,” a Google press release said, citing a Department of Homeland Security estimate.
Google is seeking an injunction to end the scams, noting that Google customers are among “millions of innocent victims,” as is Google, which dedicates “substantial” resources to detecting phishing. The tech company is also upset that Lighthouse website templates abuse the Google trademark to dupe users into thinking that it’s safe to enter credentials, noting that “at least 116 templates feature a Google logo (YouTube, Gmail, Google, or Google Play) on the sign-in screen.”
“The Lighthouse Enterprise preys on the public trust in Google,” the tech company alleged. Google hopes to recover damages if a court agrees that the criminal activity harmed the company’s reputation and earnings.
Scams “disproportionately” target Americans
“The scale of Lighthouse phishing attacks is staggering,” Google’s complaint said, alleging that the Lighthouse enterprise’s scheme “disproportionately targets US victims” by relying on trusted institutions like USPS or known brands like E-Z Pass.
“Millions of Americans” have been targeted, while the total damage remains unknown, Google alleged. From July 2023 to October 2024, “between 12.7 million and 115 million credit cards may have been compromised in the United States alone,” the filing said.
According to Google, once scammers obtain a victim’s credit card information, they often load stolen cards into Google Wallet. They then take advantage of “tap-to-pay” functionality by either buying gift cards in bulk in person or acquiring tap-to-pay machines and making payments “directly to themselves.” Scammers can also profit from pump-and-dump schemes, “pre-purchasing shares of a particular stock, and then using compromised brokerage accounts to purchase large volumes of the stock, inflating the price before they liquidate their original holdings,” Google alleged.
Blocking scammers is a challenge, Google said, alleging that Lighthouse can quickly “notify users when a phishing domain has been flagged as suspicious” by a browser like Chrome. Scammers use Google’s own transparency reporting against the company, the complaint said, “automatically” querying “transparencyreport.google.com every 15 minutes to determine whether Google has flagged a phishing domain as malicious.” This gives scammers time to switch domains and “avoid detection,” Google alleged.
Even robust security measures don’t stop the scams, Google claimed, as Lighthouse is designed to dupe users into providing multi-factor authentication (MFA) codes.
“Both versions of the Lighthouse software also allow threat actors to create fictitious” MFA pages, Google alleged, “further deceiving targets into believing they are interacting with legitimate entities.”
By relying on fake MFA pages, scammers can trick users into sharing security codes by monitoring the text fields on scam websites and adding the credit card info the victim just inputted to a Google Wallet at the moment that the victim expects “the code is being received in response to the victim’s purchase authorization,” Google said.
Cracking down on the broad enterprise will be tough, Google anticipates, with its complaint only referencing online aliases and naming a range of John Doe plaintiffs. But identities of all actors in the enterprise—including software developers, data brokers, spammers, thieves, and administrators—must be uncovered to stop the criminal gang from continuing to provide so-called phishing-as-a-service.
“Who is fishing? Looking for a partner.”
The Lighthouse enterprise today mainly coordinates attacks on several Telegram channels, Google alleged, since the tech giant suspended a YouTube channel associated with the criminal activity.
On Telegram, members of the criminal network can “purchase the software, learn how to create various phishing attacks, and, upon purchase, meet the other members of the Enterprise,” Google claimed.
One Telegram channel has over 2,500 members, Google’s filing said. On that channel, members can connect with others who have certain specialties, with users making requests like “Who can send a few US live baits?” or “Who is fishing? Looking for a partner.” Others seek help selling stolen credentials, like one user who posted, “selling pure handmade wealthy accounts with Zel[le] activation, telegraphic transfer accounts, Apple CASH ID, those who understand, come.”
Google monitors Telegram and has spent “hundreds of hours investigating and remediating” Lighthouse scams, the complaint said, and the tech giant now expects that a lawsuit could finally stop the well-known schemes from spreading. Otherwise, Google and countless others will continue suffering “irreparable harm,” the complaint said.
Damages are not specified in the complaint, which accused the Lighthouse enterprise of committing wire fraud and violating the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act, among other allegations.
If Google wins, the phishing scams may finally slow, ending the days of Americans squinting at their phones to figure out if they ordered a package or forgot to pay a toll.
“Google’s historic lawsuit marks the first time a company has taken action to curb these scams and dismantle this criminal enterprise,” Google said, vowing to “disrupt the criminal enterprise behind this scheme and stop its spread.”
Google is trying to take down a group sending you all those spammy texts