Thursday, November 13, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Google sues 25 China-based scammers behind Lighthouse ‘phishing for dummies’ kit

TH Author

Google has filed a lawsuit against 25 unnamed China-based scammers, which it claims have stolen more than 115 million credit card numbers in the US as part of the Lighthouse phishing operation.

Lighthouse is a phishing software service described in the lawsuit [PDF] as a “phishing for dummies” kit. Criminals pay a monthly subscription fee for access to hundreds of templates for fake websites, domain set-up tools for those phony sites, and other features designed to dupe victims into believing they are visiting a legitimate website. The crims use these sites to trick victims into entering their financial info and other sensitive details, which the crooks then steal.

These scams include text messages alerting victims about an “unpaid toll violation,” or a “stuck package” purporting to come from the US Postal Service.

Over a 20-day period, criminals using Lighthouse created more than 200,000 fraudulent websites to target more than one million victims across 121 countries, according to Silent Push security researchers.

In total, Lighthouse offers more than 600 phishing websites mimicking real websites belonging to over 400 entities. At least 116 of these templates feature a Google logo, such as YouTube, Gmail, Google Play on the sign-in screen – and that’s where Google’s attorneys come into the picture.

These phishing attacks have harmed Google’s customers and the company itself through the unauthorized use of its trademarks and services, according to the lawsuit. 

“The Defendants are a group of foreign cybercriminals who have engaged in relentless phishing attacks against millions of innocent victims, including Google customers, to steal personal and financial information,” the lawsuit alleges. “These attacks have collectively swindled innocent victims out of millions of dollars and harmed Google through the unauthorized use of its trademarks and services.”

Google’s complaint, citing the Corrupt Organizations (RICO) Act, the Trademark Act of 1946, and the Computer Fraud and Abuse Act, seeks to disrupt the Lighthouse scams and prevent operators from causing future harm. It also seeks to recover damages the criminals obtained from the phishing operations.

It’s worth noting that the 25 “Does” in the lawsuit are very unlikely to end up in a US court – or to see their Lighthouse phishing kit shut down – as they are presumably in China. Beijing seldom allows extraditions to America or prosecutes Chinese scammers stealing money from foreign victims.

In July, Google filed a similar lawsuit against 25 unnamed individuals in China it accuses of breaking into more than 10 million devices worldwide, using those compromised devices to build a botnet (BadBox 2.0) they allegedly used to carry out other cybercrimes and fraud.

None of those individuals have seen the inside of a US court room, and Human Security CISO Gavin Reid told The Register in an earlier interview: “We expect there will be a Badbox 3.” 

Human Security worked with Google and other security orgs to identify the C2 servers and domains directing the hijacked devices.

There oughta be a law

Perhaps because of these roadblocks, Google also said that it’s working with US lawmakers on public policy that “can address the broader threat of scams,” and today endorsed three bipartisan bills that aim to prevent foreign cybercrime.

The first one, called the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, would allow federal law enforcement to assist state and local cops with tracing tools for blockchain technology to help catch fraudsters who use cryptocurrency to facilitate their crimes. It would also allow grantees of existing federal programs to use funds to increase resources and personnel specifically to use the blockchain for investigating financial fraud. 

Second, the Foreign Robocall Elimination Act, would increase cooperation between the feds and the private sector and establish a taskforce focused on how to best block foreign-originated illegal robocalls before they reach Americans.

Finally, the Scam Compound Accountability and Mobilization Act would develop and implement a national strategy to counter scam compounds, allow the president to use International Emergency Economic Powers Act (IEEPA) sanctions against foreign persons who enable international scam compound operations, and support survivors of human trafficking. ®

READ MORE HERE