Most people with a mobile phone have encountered suspicious text messages, often called “smishing” attacks, that prompt them to “click here” to resolve issues like an overdue road toll or a delivery problem. These messages direct users to fake websites that frequently mimic legitimate services, sometimes even using a misappropriated Google logo, to trick victims into providing sensitive sign-in or payment information. The broader online tactic of using deceptive links to harvest private data is known as a “phishing” attack. The tech giant Google has decided to combat this directly, filing a lawsuit in the U.S. District Court in the Southern District of New York against what it alleges is a large-scale criminal enterprise based in China known as “Lighthouse.”
Google’s lawsuit targets the Lighthouse network for allegedly operating a “Phishing-as-a-Service” model. This operation involves selling a sophisticated software kit that provides prospective scammers with hundreds of templates for fake websites. According to the suit, nearly 200 of these templates have mimicked U.S.-based sites, including official government portals like New York City’s website and the West Virginia DMV, along with the U.S. Post Office. Halimah DeLaine Prado, Google’s general counsel, stated that over 100 of these fake website templates incorporated Google’s logos where users were directed to sign in or make payments, creating a false sense of security. She emphasized that the company is concerned about the resulting damage to user trust and the global impact on its users.
The complaint details the extensive global reach of the Lighthouse network, alleging it has targeted victims in more than 120 countries, swindling millions of dollars annually. Screenshots provided in the legal filing show the misuse of logos belonging to various other well-known payment, credit card, and social media companies. Although DeLaine Prado declined to place a specific dollar figure on the damage to Google, calling it “immeasurable,” she cited a stark example of the network’s scope. The complaint states that between July 2023 and October 2024, the Lighthouse network created or utilized 32,094 distinct phishing websites designed to mimic the U.S. Postal Service. DeLaine Prado estimated these sites could have been used to “compromise between 12.7 and 115 million credit cards in the U.S. alone.”
Despite the substantial allegations, Google faces a challenge: it does not know the actual identities of the people it is suing. The defendants are referred to as “Does 1-25,” with the court filing containing only their handles from the encrypted messaging app Telegram. Furthermore, the defendants are situated in China, putting them beyond the direct reach of U.S. courts. DeLaine Prado confirmed that the primary goal of the lawsuit is not to bring these individuals to trial, but rather to achieve “deterrence.” By seeking a declaratory judgment from the court that Lighthouse’s activity is illegal, Google aims to establish a legal basis to request assistance from “other platforms and services” in dismantling various components of the illegal infrastructure, even if the individuals cannot be reached.
DeLaine Prado views going after scammers as a regular part of her legal team’s work, seeking out cases that are ripe for public attention and where the courts can help protect users. In addition to the lawsuit, Google publicly endorsed three bipartisan bills currently before Congress aimed at helping law enforcement combat scammers. These bills include the GUARD Act, which assists local law enforcement in investigating financial fraud targeting retirees; the Foreign Robocall Elimination Act, which establishes a task force to block international robocalls; and the SCAM Act, which seeks to develop a national strategy against “compounds” where people are trafficked to work in scam operations. This aggressive stance against global fraud comes as Google itself is dealing with its own legal difficulties, having faced recent rulings concerning antitrust violations in its search business, digital advertising, and Play app store.
Reference:
