Tired of scam messages purporting to have a package for you? So is Google – and it's lawyering up to fight back.
Google said it is adopting a multifaceted approach to takedown a phishing as a service (PhaaS) operation known as 'Lighthouse', not only suing those responsible, but backing bipartisan US legislation to take on such scams and rolling out new AI-based tech to protect users.
"That text message you got about a 'stuck package' from USPS or an 'unpaid road toll'? It’s not just spam. It’s the calling card of a sophisticated, global scam that has swindled victims out of millions of dollars," said Google's general counsel Halimah DeLaine Prado in a blog post.
"Bad actors built 'Lighthouse' as a phishing as a service kit to generate and deploy massive 'smishing' (SMS phishing) attacks."
Those attacks arrive via a text message claiming to have a delivery or warning of an unpaid road toll, with a malicious link where victims are urged to enter their email, banking data, and more.
According to Google, the Lighthouse operation has impacted over one million victims spanning 120 countries, stealing information on anywhere between 12.7 million and 115 million credit cards in the US alone
“This represents a five-fold increase in these types of attacks since 2020,” DeLaine Prado noted.
Google said attacks often make use of legitimate brands and their trademarks on malicious websites, with the tech giant spotting at least 107 website templates using its own branding on fake sign-in screens.
Google getting tough on scams
Google said it is taking legal action in the hopes of dismantling the "core infrastructure" of the Lighthouse operation.
"We are bringing claims under the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act to shut it down, protecting users and other brands," DeLaine Prado noted.
The lawsuit is being brought against 25 unnamed people believed to live in China, seeking a restraining order and damages. Of course, given the individuals accused of running Lighthouse are not known, the intent isn't to necessarily target them.
Instead, Google is also asking web hosting providers to block Lighthouse associated IP addresses and domains.
Alongside the lawsuit, Google has thrown its weight behind a trio of bills currently working their way through US Congress: Guarding Unprotected Aging Retirees from Deception (GUARD) Act, Foreign Robocall Elimination Act and Scam Compound Accountability and Mobilization (SCAM) Act.
Those bills would see the establishment of taskforces to target such scams — and funding to investigate them.
Legal actions aside, Google said it is also developing tools using AI to better spot and flag such scams in a bid to better protect users.
Tough fight ahead
While the actions by Google have been welcomed, one industry expert said such efforts may be like playing whack-a-mole. They might knock one down, but another will just pop up again.
"Groups like Lighthouse appear regularly, and while legal action can disrupt them, these operations often re-emerge using alternative infrastructures," said Carl Wearn, head of threat intelligence and analysis & future ops at Mimecast.
"Copycat phishing as a service models will continue to grow, exploiting people’s instinctive trust in familiar digital channels like email and SMS."
While the increase of these scams – which not only now impersonate delivery firms and toll threats but governments and banks to trick victims – may spark more lawsuits from brands following Google's lead, Wearn said that "lasting impact will depend on public awareness, taking a moment to pause, verify and think before clicking."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
How cyber leaders can communicate with the boardIn-depth With the cost of cyber attacks clearer than ever before, how can CISOs use this data to convince boards that cybersecurity is worth the investment?
-
Illumio partners with Kyndryl to accelerate zero trust adoptionNews The collaboration pairs Illumio’s AI-powered threat containment with Kyndryl’s microsegmentation services to deliver security and compliance gains
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
-
When cyber professionals go rogue: A former ‘ransomware negotiator’ has been charged amid claims they attacked and extorted businessesNews The attackers are alleged to have demanded ransoms of up to $10 million
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
US telco confirms hackers breached systems in stealthy state-backed cyber campaign – and remained undetected for nearly a yearNews The hackers remained undetected in the Ribbon Communications’ systems for months
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
