Google Sues Chinese Phishing Ring Over US Toll Scams
▼ Summary
– Google has filed a lawsuit to dismantle the Lighthouse phishing-as-a-service platform, which is used to steal credit card information via SMS phishing attacks impersonating USPS and E-ZPass.
– The platform has affected over 1 million victims across 120 countries and is estimated to have stolen up to 115 million payment cards in the U.S. between July 2023 and October 2024.
– Lighthouse provides phishing templates and infrastructure to cybercriminals, enabling them to send fraudulent text messages and create fake websites that steal personal and financial data.
– Researchers link Lighthouse to Chinese threat actor Wang Duo Yu, who sells the phishing kits via Telegram, with subscription prices ranging from $88 per week to $1,588 per year.
– Google is supporting new U.S. policy initiatives to combat scams and is expanding AI protections in Google Messages while improving account recovery and public education efforts.
In a decisive legal move, Google has initiated a lawsuit to dismantle the “Lighthouse” phishing-as-a-service (PhaaS) platform, a sophisticated operation enabling global cybercriminals to execute SMS phishing, or “smishing,” campaigns. These fraudulent messages impersonate trusted entities like the U.S. Postal Service and E-ZPass toll systems, tricking recipients into divulging sensitive credit card details. According to Google, this scheme has impacted more than one million individuals across 120 nations, with estimates suggesting that up to 115 million payment cards were compromised in the United States between July 2023 and October 2024.
The lawsuit, filed under federal statutes including the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act, seeks to permanently disable the digital infrastructure supporting Lighthouse. By pursuing this action, Google aims to disrupt a significant source of organized cybercrime that has facilitated widespread financial fraud.
Lighthouse operates by supplying phishing templates and technical resources to other criminals, allowing them to distribute deceptive text messages. These messages often appear to originate from familiar services such as USPS or regional toll authorities. Recipients who click the embedded links are directed to counterfeit websites that mimic official portals, falsely alerting them to unpaid toll charges. The true objective of these sites is to harvest personal information and credit card numbers, which are then exploited for additional fraudulent activities.
Google’s investigation uncovered at least 107 distinct phishing website templates that improperly feature Google’s branding. This unauthorized use of trademarks on fraudulent sign-in screens is designed to lend an air of legitimacy to the scams, making it more difficult for users to identify malicious intent. A company representative emphasized that these actors “exploit the reputations of Google and other brands by illegally displaying our trademarks on deceptive websites.”
Security researchers from Cisco Talos have connected Lighthouse to smishing kits developed by a Chinese threat actor known as “Wang Duo Yu.” This individual reportedly uses Telegram channels to market and provide support for the Lighthouse phishing kits. The platform’s capabilities include sending messages via iMessage for iOS and RCS for Android, methods that can sometimes bypass standard spam filters.
Since October 2024, Talos has observed multiple threat actors employing Wang Duo Yu’s kits to conduct toll road scams throughout the United States. Fake E-ZPass billing alerts have been sent to users in states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The operation relies on thousands of typosquatted domains—URLs that closely resemble legitimate addresses—and has continued its activities into 2025.
According to cybersecurity firm Netcraft, Wang Duo Yu marketed Lighthouse as a commercial phishing kit with subscription fees ranging from $88 per week to $1,588 annually. The platform offered customizable templates capable of stealing not only login credentials but also two-factor authentication (2FA) codes, significantly increasing the potential damage to victims. As first reported by journalist Brian Krebs, the group previously operated under the name “Smishing Triad” before rebranding as Lighthouse in March 2025.
Similar large-scale campaigns have been associated with other Chinese threat actors operating PhaaS platforms, such as Darcula and Lucid. Netcraft analysts noted that Lighthouse utilizes the same ‘LOAFING OUT LOUD’ fake shop template as Lucid, suggesting a potential operational link between these groups.
In parallel to its legal actions, Google has announced support for several U.S. policy initiatives designed to enhance consumer protection against scams and foreign-based cybercrime. These include the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which strengthens the ability of state and local law enforcement to investigate fraud targeting retirees. Also supported are the Foreign Robocall Elimination Act, establishing a task force to block illegal overseas robocalls, and the Scam Compound Accountability and Mobilization (SCAM) Act, which outlines a national strategy to counter scam compounds and impose sanctions on their operators.
Google is further expanding its use of artificial intelligence to identify scam messages, introducing new protective features within Google Messages, and enhancing account recovery options through Recovery Contacts. The company remains committed to public education and collaborative partnerships aimed at helping users recognize and avoid these sophisticated fraudulent schemes.
(Source: Bleeping Computer)