Google sues phishing cartel
Google files lawsuit against the Lighthouse Gang. The statement of claim documents the phishing scam. It is unlikely to achieve much.
(Image: Tero Vesalainen/Shutterstock.com)
Google is taking civil action against a criminal syndicate specializing in large-scale online fraud support. The masterminds speak Chinese. The conglomerate is known as Lighthouse and offers other criminals pre-made packages of services and instructions. This makes phishing and related credit card fraud easy, with no special knowledge required. Customers primarily use Chinese clouds to host their fraudulent websites.
The victims are predominantly in the USA and Japan, but according to an investigation published in April, people in at least 121 countries have been affected. "Victims might recognize the presence of a Google logo as an indicator that the website is secure or legitimate," says Google. Criminals want to create deceptively realistic website fakes, so they incorporate the logos for Google, Google Play, or YouTube, which appear on so many websites, into their fakes. This constitutes a trademark infringement that Google can assert in court.
Google does not know the exact number and names of the Lighthouse perpetrators, which is why it is directing its lawsuit at "Does 1-25" in the U.S. District Court for the Southern District of New York. This is a placeholder for "Unknown 1 to 25." The number is to be understood representatively; in reality, hundreds are likely involved in this division of labor fraud system. According to the lawsuit, the providers advertise that customers can receive support for their crimes from more than 300 support staff.
SMS and Websites
Lighthouse offers services for two phishing fields: SMS and fraudulent websites. The latter are advertised through postings on social networks and online advertising, as facilitated by Google. Gmail accounts created years ago and now traded on the black market are often used to set up Google advertising accounts. These attract less attention from Google's automated systems than new Gmail accounts. To Google's particular detriment, not only fake or copied IDs are used for identification, but also data from other people's credit cards are used to pay for the advertising. The perpetrators thus violate Google's terms of service multiple times.
While the fraudulent online shops lure customers with cheap offers, the mass-sent SMS messages tell tales of failed package deliveries, outstanding toll fees, important administrative procedures, or urgent banking matters. These link to website fakes. Lighthouse offers hundreds of templates. Google has discovered its logos on over a hundred of them.
Videos by heise
Lighthouse services also include facilitating domain registrations under false names and continuously checking domains for entries on transparencyreport.google.com and in the blacklists of common web browsers. If a domain or website is identified as exposed, Lighthouse immediately informs its customer so they can quickly switch to another domain.
Data Phishing
In any case, victims are induced to enter their payment details, usually credit card information. This is followed by a simulated two-factor authentication (2FA), where the victim must enter a corresponding code.
While the victim waits for the code from the bank, sent via SMS or email, the perpetrators generate images from the credit card data that look like real credit cards. They immediately photograph these images to add the stolen credit card to a smartphone wallet. This also requires 2FA. This is precisely the code the actual credit card holder is waiting for. If they don't notice the difference and enter the code received from the bank on the supposedly real website, the perpetrators win.
They now have an electronic wallet with a stolen credit card. This can be used for shopping for a while. The perpetrators often don't do this themselves; instead, they sell the wallet on. Overall, the whole thing is professionally organized with a division of labor: there are programmers, data brokers, spammers, and finally those who monetize the loot. In addition, there is a team that operates and manages online communities to coordinate the cooperation of the various groups and recruit new members.
The Legal Side
Google bases its lawsuit on conspiracy under the Racketeer Influenced and Corrupt Organizations Act (RICO) and brings charges of wire fraud, computer fraud, trademark infringement, unfair competition, misleading indications of origin, and false advertising. The data company demands a declaration of legal violations, injunctions, damages with punitive surcharges, and reimbursement of costs.
The proceedings themselves will likely take place without the defendants. They do not have to fear immediate consequences as long as their identities are unknown or they are located, for example, in the People's Republic of China. The most likely outcome is a default judgment, as the defendants are unlikely to identify themselves and defend themselves.
Google could then claim any seized assets that cannot be returned to victims. It is conceivable that such a judgment could help Google or other victims to claim insurance benefits. Furthermore, caught Lighthouse customers would have one less excuse: the illegality of the offer would have already been judicially clarified.
The case is titled Google v Does 1-25 and is pending in the U.S. District Court for the Southern District of New York under case number 1:25-cv-09421. In parallel, Google is pushing for stricter laws.
(ds)
