A large Chinese SMS phishing operation that posed as big and recognizable US brand names, including Google, is being sued by Alphabet under an assortment of US laws.
The “Smishing Triad” is a highly active cyber criminal group that is thought to have victimized over a million people in 120 countries in just 20 days, and racked up at least 12 million stolen credit card numbers in the US alone. The group is thought to largely operate out of China, which would generally put it beyond the reach of civil legal suits. However, Google is taking the unusual step of seeking RICO organized crime charges to compel any third parties that work with its “Lighthouse” platform to cease doing business with them.
SMS phishing crew created fake webpages with Google, postal service and E-ZPass branding
The Smishing Triad’s primary tactic is to send SMS phishing messages to victims that purport to be from big and recognizable brands (such as Google). These contain links that go to spoofed versions of the company websites, mocked up with the intent of stealing login credentials and other personal information from the victim.
In addition to using Google the hackers would send SMS phishing messages posing as E-ZPass, one of the country’s largest electronic toll collection systems with a presence in over 20 states, and the United States Postal Service (USPS) among other recognizable names. The hackers offer a phishing-as-a-service kit called Lighthouse that provides clients with access to these ready-made phishing pages. Attackers usually send messages that would be plausible to receive from the company they are posing as, such as USPS delivery notifications or Google security alerts.
Google’s unusual approach in this case is to file some of its civil claims under laws intended for organized crime, primarily the Racketeer Influenced and Corrupt Organizations (RICO) Act. A civil charge under the RICO Act does not carry the same criminal penalties or connotations, but could label the defendants as “racketeers” and thus present extra legal hazard for anyone who patronizes or does business with Lighthouse; it also allows the company to recover triple the normal damages it could claim in a similar civil case. Google is also bringing charges under the Computer Fraud and Abuse Act (CFAA) and the Lanham Act, which covers trademark disputes.
While Google stands little chance of recovering money from defendants based in China, one angle of attack is restricting the group’s communications network and ability to advertise its SMS phishing services. The group coordinated on a Telegram channel that had some 2,500 members, along with active exhortations to recruit more participants. Among other activities the group used Telegram to catalog potential victims and their contact emails, coordinate SMS messaging campaigns and organize follow-up attacks.
Google says that these SMS phishing campaigns have collectively yielded somewhere between 15 million and 100 million stolen credit cards in the US alone. The case names 25 individuals, though all are listed as “John Does,” and believes the hackers produced over 100 different fraudulent websites that made use of Google branding and attempted to trick the company’s users into handing over sensitive information.
Google looks to set legal precedent for future SMS phishing cases
This is the first use of the RICO Act against SMS phishing spammers, and if it holds up in court it could set a precedent that chills the development of similarly large criminal organizations going forward. The company notes that Lighthouse took down its central Telegram channels almost immediately upon news stories about the suit breaking, and just prior to this they posted messages indicating one of their cloud servers was now blocking them. And while fund recovery from China is extremely unlikely, any of the John Does that are named during the course of the suit could find themselves barred from entry to the US and vulnerable should they visit any other countries that have an extradition treaty.
Lighthouse is just one of a number of large China-based SMS phishing operations that went into overdrive with the proliferation of phishing kits and services there in mid-late 2024. These groups heavily target the US and tend to pose as US-based brands. These groups have lowered barriers to entry by publishing instructional materials and videos, some hosted on YouTube, that help beginners set up their own components such as web mail servers and payment systems. One of the main operators appears to be a Chinese college student going by “Wang Duo Yu” who sells full-featured phishing kits for as little as $50 USD.
Max Gannon, Cyber Intelligence Team Manager at Cofense, notes that SMS phishing takes advantage of a more inherently vulnerable system and requires security awareness that goes beyond relying on standard controls: “This is a bold action by Google to combat SMS phishing. It is a good example of how the United States legal system and private companies can work together to fight cyber crime. Lighthouse and the entire Smishing Triad threat actor group demonstrate the need for phishing awareness beyond just emails. While emails can have robust security controls to block malicious messages, there are comparatively limited security options for SMS text messages at the user level. However, many of the same fundamental tactics used by credential phishing emails to deceive recipients are also found in the Lighthouse kit. While attack vectors, message themes, and impersonated brands can change from campaign to campaign, credential phishing attacks still abuse trust in known brand names and prey on human emotions.”

