Google sues cybercrime group behind E-ZPass, USPS text phishing scams

Google On Wednesday, it filed a lawsuit against a foreign cybercrime group behind a massive SMS phishing, or “smishing,” operation.

The organization, which Google says is largely based in China and has been dubbed the “Smishing Triad” by some cyber researchers, uses a phishing kit-as-a-service called “Lighthouse” to create and distribute attacks using spoofed text.

The criminal group has recruited more than a million victims in 120 countries, Google said in a statement.

“They were preying on users’ trust in reputable brands. E-ZPass, US Postal Service“The ‘Lighthouse’ organization or software creates a series of templates where you create fake websites to get users’ information,” Google general counsel Halimah DeLaine Prado told CNBC.

Google has filed claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse (CFAA) Act and is seeking to disband the group and the “Lighthouse” platform.

The texts often contain malicious links that lead to a fake website designed to steal victims’ sensitive financial information, including social security numbers, bank credentials, and more.

Messages can often appear as a fake scam alert, delivery update, notification of unpaid government fees, or other seemingly urgent texts.

Google said the criminal group stole approximately 12.7 million to 115 million credit cards in the United States alone.

“The goal is to prevent the continued spread of this, deter others from doing something similar, and also protect users and brands abused on these websites from future harm,” DeLaine Prado said.

The Alphabet-owned company said it found more than 100 website templates created by “Lighthouse” that used Google’s branding on login screens to trick victims into believing the sites were legitimate.

DeLaine Prado said internal and third-party investigations revealed that the union’s approximately 2,500 members corresponded on a public Telegram channel to recruit more members, share advice and test and maintain the “Lighthouse” software.

He added that the organization also has a “data broker” group that provides lists of potential victims and contacts, a “spammer” group responsible for SMS messages, and a “thief” group that will coordinate its attacks using credentials provided through public Telegram channels.

Google said it was the first company to take legal action against SMS phishing scams and also passed a bipartisan bill to protect against fraud and cyberattacks.

“While litigation is a potential vector where we can disrupt it, we also think that this type of cyber activity requires a policy-based approach,” DeLaine Prado said. he said.

The trio of bills includes the Protecting Vulnerable Aging Retirees from Deception (GUARD) Act, the Foreign Robocall Elimination Act, which would create a task force to target illegal foreign robocalls, and the Fraud Composite Accountability and Mobilization Act, which targets fraud compounds and supports human trafficking survivors at centers.

The lawsuit is part of Google’s broader strategy to raise cyber protection awareness among users.

The company recently rolled out more security featuresIncluding a Key Verifier tool and AI-powered spam detection in Google Messages.