Google sues cybercrime group behind E-ZPass, USPS text phishing scams

Google filed a lawsuit on Wednesday against a foreign cybercriminal group behind a massive SMS phishing, or “smishing,” operation.

Dubbed by some cyber researchers as the “Smishing Triad,” the organization, which Google said is largely based out of China, uses a phishing-as-a-service kit named “Lighthouse” to create and deploy attacks using fraudulent texts.

The crime group has amassed over a million victims across 120 countries, Google said in a release.

“They were preying on users’ trust in reputable brands such as E-ZPass, the U.S. Postal Service, and even us as Google,” Google general counsel Halimah DeLaine Prado told CNBC. “The ‘Lighthouse’ enterprise or software creates a bunch of templates in which you create fake websites to pull users’ information.”

Google brought claims under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse (CFAA) Act and is seeking to dismantle the group and the “Lighthouse” platform.

The texts usually contain malicious links to a fake website designed to steal victims’ sensitive financial information, including social security numbers, banking credentials, and more.

The messages can often appear in the form of a fake fraud alert, delivery update, unpaid government fee notification, or other seemingly urgent texts.

The crime group has stolen approximately between 12.7 million and 115 million credit cards in the U.S. alone, Google said.

“The idea is to prevent its continued proliferation, deter others from doing something similarly, as well as protect both the users and brands that were misused in these websites from future harm,” DeLaine Prado said.

The Alphabet-owned company said that it has found over 100 website templates generated by “Lighthouse” using Google’s branding on sign-in screens to trick victims into thinking the sites were legitimate.

Internal and third-party investigations found that around 2,500 members of the syndicate were corresponding on a public Telegram channel to recruit more members, share advice, and test and maintain the “Lighthouse” software itself, DeLaine Prado said.

She added that the organization also had a “data broker” group, which supplied the list of potential victims and contacts, a “spammer” group, responsible for the SMS messages, and a “theft” group that would coordinate their attacks using the procured credentials on public Telegram channels.

Google said it’s the first company to take legal action against SMS phishing scams and is additionally endorsing three bipartisan bills intended to protect against fraud and cyberattacks.

“While the lawsuit is one potential vector in which we can disrupt it, we also think that this type of cyber activity requires a policy-based approach,” DeLaine Prado said.

The trio of bills includes the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, the Foreign Robocall Elimination Act, which would establish a task force targeting foreign illegal robocalls, and the Scam Compound Accountability and Mobilization Act, which targets scam compounds and supports survivors of human trafficking within the centers.

The litigation is part of Google’s broader strategy to bring cyber protection awareness to users.

The company recently rolled out more safety features, including a Key Verifier tool and artificial intelligence-powered spam detection in Google Messages.