Google has initiated legal action against Smishing Triad, a sophisticated cybercrime organization believed to be operating from China. Active since at least 2023, the group has executed large-scale SMS phishing (smishing) campaigns targeting users globally. Their malicious text messages frequently impersonate legitimate services such as package delivery companies (like USPS), toll agencies (like E-ZPass), banks, healthcare providers, and social media platforms. The central focus of the lawsuit is the group’s “phishing-as-a-service” kit, named Lighthouse, which enables cybercriminals to distribute messages containing links to fraudulent websites designed to steal sensitive user information, including email credentials and banking details.
The scale of Smishing Triad’s operation is massive, with Google reporting that the Lighthouse kit facilitated the targeting of over one million users across more than 120 countries. The financial impact is staggering, with an estimated 12 million to 115 million credit cards potentially being stolen in the United States alone. The group’s infrastructure is substantial, as an external security analysis recently identified a single Smishing Triad campaign involving over 194,000 malicious domains. Google itself noted that it identified more than 100 phishing website templates specifically created to impersonate its brand and services.
Google’s general counsel, Halimah DeLaine Prado, stated that the legal action aims to “dismantle the core infrastructure of this operation.” The company is leveraging multiple powerful legal statutes, including the Racketeer Influenced and Corrupt Organizations Act (RICO), the Lanham Act, and the Computer Fraud and Abuse Act (CFAA), in an effort to secure court orders that will shut down the operation and protect both users and other targeted brands. This strategy of filing lawsuits against unknown cybercriminals is a recognized tactic used by major tech companies.
Taking legal action, even without knowing the defendants’ true identities, provides significant operational advantages. Lawsuits allow tech giants to obtain court orders for the seizure of malicious domains. Furthermore, they enable the companies to subpoena Internet Service Providers (ISPs), domain registrars, and hosting providers. This process can yield valuable technical data, such as IP addresses and other evidence associated with the operation, which ultimately aids in unmasking the individuals behind the cybercrime group. This approach has been successfully employed by other major technology companies, such as Microsoft, in recent disruptions of services like the ONNX and RaccoonO365 phishing kits.
Beyond the specific lawsuit, Google is also actively engaging in the legislative sphere to combat cyber-enabled threats, publicly endorsing several bipartisan bills. These include the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, designed to strengthen law enforcement’s ability to investigate fraud against retirees, and the Foreign Robocall Elimination Act, which calls for a taskforce to block robocalls originating abroad. Additionally, Google supports the Scam Compound Accountability and Mobilization (SCAM) Act, which aims to develop a national strategy to counter organized scam compounds.
Reference:
